Firewall Wizards mailing list archives
Re: Web Site Hacks
From: Aleph One <aleph1 () dfw net>
Date: Sat, 6 Dec 1997 02:07:25 -0600 (CST)
On Fri, 5 Dec 1997, Chad Schieken wrote:
The question I wrestle with every day is how to protect the webservers from themselves (CGI, NSAPI, server plugins, etc). It's been my experience that most of the web applications being developing take very few steps to protect themselves. My solution has been individual reviews of each app. This is hugely expensive, and not reliable (IMHO). But what alternatives are their? Even putting the "perfect" firewall in front of the webserver doesn't protect it from the biggest liability, itself. I think the webservers need to implement some sort of sanity checking of input to the various server side applications, like CGI, or server plugins, etc. Has anyone ever seen this even considered in any webserver?
The solution is to use a trusted operating system and run each CGI script or set of CGI scripts in its own conpartments. Of curse this helps you little if you are using NSAPI or some other web server API where the program actually runs in the same address space as the web server. Another alternative is to have the web server forward CGI request to another server for execution and foward the results to the browser. This should be easily accomplished. Locate the CGI server in some network firewalled where it cant do damage. Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Web Site Hacks, (continued)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks Aleph One (Dec 06)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks David Kennedy (Dec 08)
- Re: Web Site Hacks Paul McNabb (Dec 09)
- Re: Web Site Hacks shimons (Dec 11)
- Re: Web Site Hacks Paul McNabb (Dec 11)
- Re: Web Site Hacks Joseph S. D. Yao (Dec 11)
- Re: Web Site Hacks Daniel Garcia (Dec 03)