Re: Web Site Hacks

[Aleph One <aleph1 () dfw net>]

On Fri, 5 Dec 1997, Chad Schieken wrote:

> The question I wrestle with every day is how to protect the webservers from themselves (CGI, NSAPI, server plugins, 
> etc). It's been my experience that most of the web applications being developing take very few steps to protect 
> themselves. 
>
> My solution has been individual reviews of each app. This is hugely expensive, and not reliable (IMHO). But what 
> alternatives are their? 
>
> Even putting the "perfect" firewall in front of the webserver doesn't protect it from the biggest liability, itself. 
>
> I think the webservers need to implement some sort of sanity checking of input to the various server side 
> applications, like CGI, or server plugins, etc. 
>
> Has anyone ever seen this even considered in any webserver?

The solution is to use a trusted operating system and run each CGI script
or set of CGI scripts in its own conpartments. Of curse this helps you
little if you are using NSAPI or some other web server API where the
program actually runs in the same address space as the web server. Another
alternative is to have the web server forward CGI request to another
server for execution and foward the results to the browser. This should be
easily accomplished. Locate the CGI server in some network firewalled
where it cant do damage.

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01