Firewall Wizards mailing list archives
Re: Firewall RISKS
From: Adam Shostack <adam () homeport org>
Date: Thu, 3 Jun 1999 09:24:54 -0400
On Tue, Jun 01, 1999 at 07:49:56PM -0700, Robert Graham wrote: | The ColdFusion bug was not really Allaire's fault -- the bug was in a | sample script that Allaire recommends be removed from a production web | server. Almost every web-site creation package like ColdFusion has the | same problem, including Microsoft's ASP scripting, FrontPage web | hosting, and sample CGI programs. Administrators feel safe behind I'm sorry, but you're wrong. The ColdFusion bug was Allaire's fault. They wrote and shipped crap sample code that has security flaws in it. That code has probably been modified into other vulnerable programs. There are a reasonably large number of secure programming FAQs available; Matt Bishop has one, there's one in Garfinkel and Spafford, there's one I wrote. I've seen academic references in 1976 or so that programs that don't validate their input are vulnerable to attack. To absolve a company of blame for shipping bogus code is wrong. They screwed up. They got lots of people in trouble. They wasted lots of people's time. If you don't have time to do the sample code right, don't ship it. Its been a long time since a problem like this was found in Apache; NCSA had a slew, and the web folks learned. You can read the history of it in the bugtraq archives. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Firewall RISKS Robert Graham (Jun 03)
- Re: Firewall RISKS Paul D. Robertson (Jun 03)
- Re: Firewall RISKS Adam Shostack (Jun 03)
- <Possible follow-ups>
- Re: Firewall RISKS Andrew Gilbert (Jun 03)
- Re: Firewall RISKS MIKE SHAW (Jun 03)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- Re: Firewall RISKS Lance Spitzner (Jun 04)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- eSafe Protect desktop experince Mark Lemmo (Jun 14)
- Re: Firewall RISKS Stephen P. Berry (Jun 14)