Susan Alderman
Fri, 22 Oct 1999 13:38:43 -0700
At 07:24 PM 10/22/1999 +0100, you wrote: >It seems to me, as I explained before, that this is a serious security >risk. Of course, I can warn people about it, but they won't necessarily >know, or be able to find out easily, whether their server is an at-risk one. >Or even read the instructions. > >At this moment, I'm minded to remove the CGI command from analog altogether, >and only allow CGI access via anlgform.pl. This is in some ways less >convenient, but I don't think I can advertise a feature when it's very >likely to be set up as a security risk. I'd vote for removing the CGI command - one of the things that analog has going for it is that it's simple to use, simple to set up. When you start getting into security issues like this, all of a sudden it's NOT simple to use/set up and people are liable to get bitten. (Admit it - how many people out there really read ALL the docs?) Thanks, Susan Susan Alderman [EMAIL PROTECTED] Box 1885 vox: 401-863-9466 CIS, Brown University fax: 401-863-7329 Providence, RI 02912 ------------------------------------------------------------------------ This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/ ------------------------------------------------------------------------