At 07:56 AM 6/7/00 -0400, Eric Strovink wrote:
>Gunther Birznieks wrote:
>
><snip>
>
> > >From: Jan Dubois <[EMAIL PROTECTED]>
> > >I don't think so. You should never let people execute arbitrary code on
> > >your web server anyways. If you do, then the potential intruder can do
> > >much more nasty things than just snooping around in memory.
> > >-Jan
> > I think Jan is right to some degree. But he's also not necessarily thinking
> > outside the box which is exactly what a hacker will do.
>
><snip>
>
>This reminds me of a discussion that has been conducted here before. One
>could as
>well ask, "Isn't embperl [or any other embedded code implementation] a
>security
>risk?" One camp says of course not, you should protect yourself against
>tainted
>user data, etc., plus whatever other ways exist to trick the server into
>executing
>a foreign Perl fragment, and it's your fault if you don't, so there's no risk.
>Another camp says yes, if your server is *able* to execute embedded code
>of some
>kind, then by enabling this capability you've added to the risk by
>definition --
>and by the way, you can't claim to have thought of *all* the ways that someone
>might trick you into running a code frag, because you're probably not thinking
>about it as hard as they are.
Well, yes and no. At the end of the day, as the server admin you are
choosing which directories and filetypes are enabled for embperl so it is
protected in the same way as a cgi script from being run on the server. If
embperl then runs in the same model as mod_perl, then it would have the
same vulnerabilities as I outlined in the part of the mail that was snipped.
The caching of data in a mod_perl server is the particular security
vulnerability that there is a potential of exploiting. But not too many
people would think that way, and the mod_perl program would have to be
caching quite a bit of data on the server which usually is not recommended
for individual apache program size anyway even if it might improve
performance when there is enough RAM.
Later,
Gunther
__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
Extropia - The Web Technology Company
http://www.extropia.com/
