Re: Policing user CGI scripts
From: all mail refused (elvis_at_notatla.org.uk)
Date: 07/04/04
- Next message: Tom Jordan: "Re: Customizing Security"
- Previous message: Akop Pogosian: "Policing user CGI scripts"
- In reply to: Akop Pogosian: "Policing user CGI scripts"
- Next in thread: Walter Roberson: "Re: Policing user CGI scripts"
- Reply: Walter Roberson: "Re: Policing user CGI scripts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 4 Jul 2004 19:25:57 GMT
In article <cc9e9f$25mt$1@agate.berkeley.edu>, Akop Pogosian wrote:
>Does there exist a security tool that can be used to scan the user
>home directories for presence of the versions of popular, freely
>distributed CGI or .php scripts that have well known security
>problems? Of course, if such tool could also look for the dangerous
>code in general that would be even better.
You'd have to decide what you call a security problem -
have you got an AUP for these users ?
It's fairly easy to scan CGIs for lack of tainting and use
of the
system([^,]+)
exec([^,]+)
and
open("$foo|"), open("|$foo")
constructions.
I like to constrain code where possible so that it can't
have unwanted results. (Consider SubDomain, systrace etc)
For instance I like webservers to accept TCP traffic on just
2 ports (80, 22) and cannot originate any TCP traffic at all.
That prevents spam relaying and the like without needing
to know the properties of the CGIs.
-- Elvis Notargiacomo master AT barefaced DOT cheek http://www.notatla.org.uk/goen/
- Next message: Tom Jordan: "Re: Customizing Security"
- Previous message: Akop Pogosian: "Policing user CGI scripts"
- In reply to: Akop Pogosian: "Policing user CGI scripts"
- Next in thread: Walter Roberson: "Re: Policing user CGI scripts"
- Reply: Walter Roberson: "Re: Policing user CGI scripts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
