On Tue, 12 Oct 1999, Eric Strovink wrote:
> Matt Sergeant wrote:
>
> > All CGI scripts, no matter what language they are written in, can be
> > insecure. There's no need to discuss this here [snip]
>
> The original question, though, was whether embperl is *inherently* less secure
> than some other strategies. I am no security expert, but some of the exploits
> that were tried (unsuccessfully) by this cracker did in fact rely on whether
> server-side includes and/or embedded Perl were active. Now, I am not saying
> that directory permissions ought not to be correct and so on, but *supposing*
> that there were some oversight in this area, *then* it seems to me the fact
> that ssi or embperl was active *would* increase the chances of crackability.
This cracker got write access to the web server via a poorly written CGI
script though (searching for embperl or ssi was what he did after the fact
to see if he could write to the right page), and then got further in via a
bug on crond. The point is that any site is as secure as it's weakest
point. If that weak point allows any kind of write access to the web server
then having embperl or ssi or buggy cron's or any other way for your cracker
to get further isn't going to make that much difference.
Disclaimer: I'm no security expert - but I have worked on security paranoid
web sites such as http://www.bbc.co.uk.
--
<Matt/>
Details: FastNet Software Ltd - XML, Perl, Databases.
Tagline: High Performance Web Solutions
Web Sites: http://come.to/fastnet http://sergeant.org
Available for Consultancy, Contracts and Training.
