1996-03-11 - Re: anonymous web pages (Was: SurfWatch)

Header Data

From: “Mark M.” <markm@voicenet.com>
To: cypherpunks@toad.com
Message Hash: 4aa2cc1e0964bbbb6b210e92f9729a7a77ff7e079ef26d777492546bb99ccdbc
Message ID: <Pine.LNX.3.91.960310192841.2110A-100000@gak>
Reply To: <199603100450.XAA16800@hausdorff.math.psu.edu>
UTC Datetime: 1996-03-11 01:03:25 UTC
Raw Date: Mon, 11 Mar 1996 09:03:25 +0800

Raw message

From: "Mark M." <markm@voicenet.com>
Date: Mon, 11 Mar 1996 09:03:25 +0800
To: cypherpunks@toad.com
Subject: Re: anonymous web pages (Was: SurfWatch)
In-Reply-To: <199603100450.XAA16800@hausdorff.math.psu.edu>
Message-ID: <Pine.LNX.3.91.960310192841.2110A-100000@gak>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 9 Mar 1996, Dan Cross wrote:
 
> This is an interesting idea, though I think a really really insecure one.
> What's keeping someone from posting ``trojan web pages'' and then waiting
> for the pages to be soaked up by servers?  Something that says ``click
> <here> to see the /etc/passwd file for this site!'' which runs some funky
> CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy
> super wiz-bang gadget!'' or the like is a really scary, but very real,
> possibility if great care is not taken in setting this kind of thing up.
> News servers, on the other hand, don't suffer from this problem because
> the data which they contain is much more passive in nature (at least, while
> in the spool..) than HTML.

The obvious fix would just be to disallow the use of CGI scripts in anonymous
web pages.  In order for a file to be designated a CGI script, the must
be explicitly specified as such in the httpd configuration.  The web is
every bit as passive as Usenet.  The only difference is you can't make a
program that will execute on the NNTP server everytime it is retrieved (which
would be the Usenet equivalent of CGI).

- --Mark

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
markm@voicenet.com              | finger -l for PGP key 0xf9b22ba5
http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5
"The concept of normalcy is just a conspiracy of the majority" -me

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMUN0ybZc+sv5siulAQGlSAP+N+4Cm0PVcU3zU0WQC6O7m/JXQQJA5RuP
dF4/b1OhB8iGeT41PFZhJ/XL94KjKRwmA8TptPThaUKjbJ9feYj6ixm6LvT0xyRY
kGDKQkCF4wi3hHlVAw8ADembUw5+gQlNe3xrqnNsXPoZ5FDBpqHqQjFlPOiQhDbV
+lR85iyPbRI=
=/G3y
-----END PGP SIGNATURE-----





Thread