[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anonymous web pages (Was: SurfWatch)



-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 9 Mar 1996, Dan Cross wrote:
 
> This is an interesting idea, though I think a really really insecure one.
> What's keeping someone from posting ``trojan web pages'' and then waiting
> for the pages to be soaked up by servers?  Something that says ``click
> <here> to see the /etc/passwd file for this site!'' which runs some funky
> CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy
> super wiz-bang gadget!'' or the like is a really scary, but very real,
> possibility if great care is not taken in setting this kind of thing up.
> News servers, on the other hand, don't suffer from this problem because
> the data which they contain is much more passive in nature (at least, while
> in the spool..) than HTML.

The obvious fix would just be to disallow the use of CGI scripts in anonymous
web pages.  In order for a file to be designated a CGI script, the must
be explicitly specified as such in the httpd configuration.  The web is
every bit as passive as Usenet.  The only difference is you can't make a
program that will execute on the NNTP server everytime it is retrieved (which
would be the Usenet equivalent of CGI).

- --Mark

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]              | finger -l for PGP key 0xf9b22ba5
http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5
"The concept of normalcy is just a conspiracy of the majority" -me

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMUN0ybZc+sv5siulAQGlSAP+N+4Cm0PVcU3zU0WQC6O7m/JXQQJA5RuP
dF4/b1OhB8iGeT41PFZhJ/XL94KjKRwmA8TptPThaUKjbJ9feYj6ixm6LvT0xyRY
kGDKQkCF4wi3hHlVAw8ADembUw5+gQlNe3xrqnNsXPoZ5FDBpqHqQjFlPOiQhDbV
+lR85iyPbRI=
=/G3y
-----END PGP SIGNATURE-----