Re: Firewall RISKS

[Adam Shostack <adam () homeport org>]

On Tue, Jun 01, 1999 at 07:49:56PM -0700, Robert Graham wrote:

| The ColdFusion bug was not really Allaire's fault -- the bug was in a
| sample script that Allaire recommends be removed from a production web
| server. Almost every web-site creation package like ColdFusion has the
| same problem, including Microsoft's ASP scripting, FrontPage web
| hosting, and sample CGI programs. Administrators feel safe behind

        I'm sorry, but you're wrong.  The ColdFusion bug was Allaire's
fault.  They wrote and shipped crap sample code that has security
flaws in it.  That code has probably been modified into other
vulnerable programs.  There are a reasonably large number of secure
programming FAQs available; Matt Bishop has one, there's one in
Garfinkel and Spafford, there's one I wrote.

        I've seen academic references in 1976 or so that programs that
don't validate their input are vulnerable to attack.  To absolve a
company of blame for shipping bogus code is wrong.  They screwed up.
They got lots of people in trouble.  They wasted lots of people's
time.

        If you don't have time to do the sample code right, don't ship 
it.  Its been a long time since a problem like this was found in
Apache; NCSA had a slew, and the web folks learned.  You can read the
history of it in the bugtraq archives.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume