From: Bruce Zambini <jlasser@rwd.goucher.edu>
Date: Tue, 12 Mar 1996 20:15:45 +0800
To: "Mark M." <markm@voicenet.com>
Subject: Re: anonymous web pages (Was: SurfWatch)
In-Reply-To: <Pine.LNX.3.91.960310192841.2110A-100000@gak>
Message-ID: <Pine.SUN.3.91.960312003232.4898A-100000@rwd.goucher.edu>
MIME-Version: 1.0
Content-Type: text/plain


On Sun, 10 Mar 1996, Mark M. wrote:

> On Sat, 9 Mar 1996, Dan Cross wrote:
>  
> > This is an interesting idea, though I think a really really insecure one.
> > What's keeping someone from posting ``trojan web pages'' and then waiting
> > for the pages to be soaked up by servers?  Something that says ``click
> > <here> to see the /etc/passwd file for this site!'' which runs some funky
> > CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy
> > super wiz-bang gadget!'' or the like is a really scary, but very real,
> > possibility if great care is not taken in setting this kind of thing up.
> > News servers, on the other hand, don't suffer from this problem because
> > the data which they contain is much more passive in nature (at least, while
> > in the spool..) than HTML.
> 
> The obvious fix would just be to disallow the use of CGI scripts in anonymous
> web pages.  In order for a file to be designated a CGI script, the must
> be explicitly specified as such in the httpd configuration.  The web is
> every bit as passive as Usenet.  The only difference is you can't make a
> program that will execute on the NNTP server everytime it is retrieved (which
> would be the Usenet equivalent of CGI).

Doesn't solve the problem completely, or even the individual example 
given above.

>From your public html directory, try 'ln -s /etc/passwd passwords.txt'.

Then add a link to your homepage.... 
Jon
----------
Jon Lasser (410)494-3072                         - Obscenity  is a crutch  for
jlasser@rwd.goucher.edu                            inarticulate motherfuckers.
http://www.goucher.edu/~jlasser/
Finger for PGP key (1024/EC001E4D)               - Fuck the CDA.