From: "Mark M." <markm@voicenet.com>
Date: Thu, 14 Mar 1996 08:23:44 +0800
To: Bruce Zambini <jlasser@rwd.goucher.edu>
Subject: Re: anonymous web pages (Was: SurfWatch)
In-Reply-To: <Pine.SUN.3.91.960312003232.4898A-100000@rwd.goucher.edu>
Message-ID: <Pine.LNX.3.91.960312152602.197B-100000@gak>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 12 Mar 1996, Bruce Zambini wrote:

> On Sun, 10 Mar 1996, Mark M. wrote:
> 
> > On Sat, 9 Mar 1996, Dan Cross wrote:
> >  
> > > This is an interesting idea, though I think a really really insecure one.
> > > What's keeping someone from posting ``trojan web pages'' and then waiting
> > > for the pages to be soaked up by servers?  Something that says ``click
> > > <here> to see the /etc/passwd file for this site!'' which runs some funky
> > > CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy
> > > super wiz-bang gadget!'' or the like is a really scary, but very real,
> > > possibility if great care is not taken in setting this kind of thing up.
> > > News servers, on the other hand, don't suffer from this problem because
> > > the data which they contain is much more passive in nature (at least, while
> > > in the spool..) than HTML.
> > 
> > The obvious fix would just be to disallow the use of CGI scripts in anonymous
> > web pages.  In order for a file to be designated a CGI script, the must
> > be explicitly specified as such in the httpd configuration.  The web is
> > every bit as passive as Usenet.  The only difference is you can't make a
> > program that will execute on the NNTP server everytime it is retrieved (which
> > would be the Usenet equivalent of CGI).
> 
> Doesn't solve the problem completely, or even the individual example 
> given above.
> 
> >From your public html directory, try 'ln -s /etc/passwd passwords.txt'.
> 
> Then add a link to your homepage.... 

In order to add a symbolic link on a file system, you have to have shell
access to that system.  The whole point of this anonymous web pages thread
is that web pages could be distributed among different servers which could
store the pages on the filesystem and make access available through the
web.  An attacker could not put a link to the password file simply through
anonymous web pages.  Besides, password file should be shadowed anyway, and
httpd should never be run as root.

- --Mark

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
markm@voicenet.com              | finger -l for PGP key 0xf9b22ba5
http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5
"The concept of normalcy is just a conspiracy of the majority" -me


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMUXe8bZc+sv5siulAQHu8gP9FAy5ylQULMIUxRWB36Ab/33CdpTexa+5
cv0ezgxAkD06Ui6Epfn4Vj1qmNl9YFs4klHUmGT3dloxiJE7/jHmgLzvb/ka7NUT
5IxXBIsHbD+UOrUkn4g4iHjjAS6PJpMEElvtpN2EAZP8lTyjrTmo+D/8lLEvbL+D
5df/zqRYd6E=
=JekR
-----END PGP SIGNATURE-----