Re: Web Site Hacks

["Bruce B. Platt" <bbp () comport com>]

At 09:10 PM 12/2/97 GMT, Edward Cracknell wrote:
> Web Site Hacks:

... snip ...


> Assuming the Web server is behind the firewall and only http is allowed:

... snip ...

Other have commented on the specific issues Edward raised, like creating the
telnet link, dns.

What's more interesting is just because your web-server is behind a
firewall, or in a DMZ doesn't mean it's safe.  Web servers have a history of
susceptibilities to things like buffer overruns, etc., which protecting them
in blue or green nets doesn't stop.

I'm not willing to say that all popularly used web servers are 100%
guaranteed to be breach proof.

Or, suppose I go all out and place a web server, ftp, gopher site in a blue
or green zone and then muck up the file protections to the ftp/incoming
directory, or perhaps worse, the ftp/pub directory so someone can write to
it, ...  I think I'm probably fair game for someone clever than I to do some
things I'd rather they not.

Now, screend rules on the firewall can help, but if I can make a simple
mistake i setting up the ftp root, etc., than I wouldn't trust my screend
rules either.

Regards,

Bruce