On Sat, 16 Mar 2002, mulix wrote:
> On Sat, Mar 16, 2002 at 05:56:33PM +0200, Shlomi Fish wrote:
> > On Sat, 16 Mar 2002, mulix wrote:
> >
> > > On Sat, Mar 16, 2002 at 04:38:41PM +0200, Shlomi Fish wrote:
> > > > On Sat, 16 Mar 2002, mulix wrote:
> > > >
> > > > > i created /iglu/html/irc, owned by mulix.mulix and accesible through
> > > > > http://www.iglu.org.il/irc/. i upload the files manually right now,
> > > > > until we implement a scheme to allow the maintainer (app) to upload
> > > > > files on his own - or just give him an account and be done with it.
> > > >
> > > > A way to manage the files should not be hard to implement with a CGI
> > > > script. (just make sure it makes enough sanity checks) If you write
> > > > a
> > >
> > > cgi scripts are inherently insecure. i do not intend to go that way.
> >
> > That's a base-less generalization that is not good for anything. CGI
> > scripts can be made very secure by using careful coding.
>
> show me how a script that fulfills the function required can be made
> secure, please...
Simple, by making sure that:
1. The filename does not contain slashes at all.
2. The filename does not start with a dot.
3. The file is up to a certain size.
4. The total size of the directory is up to a certain size.
5. The file is always created with the same permissions which are not
executable.
It requires some sanity checks, but it is doable.
> then go to bugtraq and make a small search for cgi
> exploits. most cgi's aren't written using 'careful coding'. but, if it
> makes you feel better, you can add 'non trivial' to my statement
> above.
>
No. Even non-trivial CGIs can be made secure.
> > Well, Sagi proposed something that can be done with proftpd. Let's look
> > into it first, and only then implement it as a CGI script. Are you OK with
> > that?
>
> not entirely - i dont want a cgi script, and we already have an ftp
> server installed - i dont want to maintain two of them. i'll look into
> running another copy of whatever we have running in a chroot'd
> environment later tonight.
Do that, and let us know of the outcome of this experiment.
Regards,
Shlomi Fish
> --
> The ill-formed Orange
> Fails to satisfy the eye: http://vipe.technion.ac.il/~mulix/
> Segmentation fault. http://syscalltrack.sf.net/
>
>
>
>
----------------------------------------------------------------------
Shlomi Fish [EMAIL PROTECTED]
Home Page: http://t2.technion.ac.il/~shlomif/
Home E-mail: [EMAIL PROTECTED]
"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
