RE: URL for security issue?

Thu, 30 May 2002 09:41:20 -0700 

I don't know if this was one of the retransmissions you were looking for,
but here you go just in case.

-------------------------------------

I usually do a combination of things.

        * You can check domains, but they can be spoofed,
          so that in itself is not a cure. It's a start.

        * Does the site have a static IP? You can set
          the script only to run if called from that IP.
          Once again 'spoofable' but less than a domain
          on its own.

        * Use the CGI.pm module's built-in data limit
          function. You can set POST_MAX to a reasonable
          level to avoid buffer overflow issues, or just
          set DISABLE_UPLOADS = 1 if no files are going
          to be uploaded.

        * Are you on UNIX? Most of my sites are on some
          flavor of *NIX and I run my scripts suid. You
          can explicitly tell the script that it can
          run -only- as the user, not even as the httpd
          daemon. (#!/usr/bin/perl -U with the script
          directory chmod'd 4711)


Scot Robnett
inSite Internet Solutions
[EMAIL PROTECTED]
[EMAIL PROTECTED]




-----Original Message-----
From: David T-G [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 30, 2002 11:53 AM
To: Beginners CGI
Cc: John Brooking
Subject: Re: URL for security issue?


John, et al --

....and then John Brooking said...
%
% Gang,

Hello!


%
%    A week or three ago, someone referred to a page
% that discussed security issues when using CGI input to
% send out to a web page. I thought I had bookmarked the
% page or saved the email, but I can't find it now.
% Could whoever posted it please do so again, or maybe
% just email it to me privately? Thanks!

Actually, I'd appreciate such a thing, too.  I just went back through my
list mailbox looking for "cgi" and "security" in the body and don't see
anything relating to a pointers page; the closet is Ovid's response to
Fred Sahakian outlining some things to check when looking at a CGI script.


%
% - John


HTH & HAND

:-D
--
David T-G                      * It's easier to fight for one's principles
(play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie
(work) [EMAIL PROTECTED]
http://www.justpickone.org/davidtg/    Shpx gur Pbzzhavpngvbaf Qrprapl Npg!


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to