Quoting Eric Moore <[EMAIL PROTECTED]>: > > Randall Swartz said something to the effect of "you shouldn't let anyone > > know what you are using for cgi". He was speaking of using extensions to > > file names like ".pl". > > Security through obscurity?
Security through obscurity is only bad if it is the only means of security. It can be useful to deflect an attack if it is not obvious what the underlying technology is (especially since there are so many ripe targets out there). What if there was a known exploit for PHP, or ColdFusion, or perhaps for a specific commonly used script (Matt's script archive anyone). A cracker might scrape the web looking for specific files to find potential servers to attack. If all your programs use the standard .cgi extension, then your server may be skipped. Of course one shouldn't be running vulnerable apps or scripts in the first place! > Doesn't really matter what one is using for cgi if you don't validate / > examine everything that is returned from a browser (session_ids, uploaded > files, parameter values). Agreed. Never trust anything coming from the user. All other security measures are pretty much useless if you don't follow that rule. Cheers, Cees --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
