Re: [analog-help] CGI Error on NT IIS 4
On Mon, 25 Oct 1999, Aengus Lawlor wrote: It's precisely because the CGI command makes Analog "simple to use, simple to set up" that I'd prefer to keep it, if there was a simple way to resolve the security issues. But I can see that that would involve making Analog just a little bit more complicated internally, so sticking with the seperate CGI interface may be the best option. The point is also that it introduces a new set of security issues. OK, so I can resolve the current ones. But maybe there are more that I haven't thought of. These aren't the first, after all. Encouraging people to keep extra executables in their cgi space could be asking for trouble. I would prefer, if it doesn't impede functionality too much, to keep all the security issues in one place (anlgform) where I can get them all in my head at once, think very carefully about them, and document my solutions. (And you can't make the form interface work at all until you've read at least some of the documentation, so there is a much better chance that people will read it there!) -- Stephen Turner[EMAIL PROTECTED]http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: [analog-help] CGI Error on NT IIS 4
Aengus Lawlor wrote: On 10/22/99, I wrote: On Fri, 22 Oct 1999, Stephen Turner wrote: On Thu, 21 Oct 1999, Aengus Lawlor wrote: The documentation says of CGI ON that "You can't choose any options that way though". This isn't my experience. I just typed in the following URL OK, as far as I can see Apache doesn't pass the arguments. Is this IIS doing this? Yes (IIS3 and IIS4). Isn't it supposed to pass GET parameters like that? And I realized on my way home that GET parameters are supposed to be passed to the Query_String environment variable. I do remember way back in the mists of time (IIS 1.0) people were advised to make sure that they only put .pl files in their script directories, and to make sure that perl.exe wasn't directly addressable from a URL, because you could pass parameters to it. It's been a long time, though, and I thought that was fixed in some service pack. I believe the reason this is still funcitonal is because on IIS many ActiveX server controls are DLL files and need parameters sent to them. So the server takes a url like /cgi-bin/webapp.dll?parm1=alphaparm2=234155 and needs to tell the ActiveX control how to read that. My guess is that the implementation of this support means that as a consequence, the args array of command line options for an executable run in the cgi-space is loaded with the get paramters. -- Jeremy Wadsack Wadsack-Allen Publishing This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: [analog-help] CGI Error on NT IIS 4
It's precisely because the CGI command makes Analog "simple to use, simple to set up" that I'd prefer to keep it, if there was a simple way to resolve the security issues. But I can see that that would involve making Analog just a little bit more complicated internally, so sticking with the seperate CGI interface may be the best option. Time to look into the #EXEC directive, perhaps? Aengus __ Reply Separator _ Subject: Re: Re[2]: [analog-help] CGI Error on NT IIS 4 Author: [EMAIL PROTECTED] at Internet Date:10/25/99 4:08 PM On Fri, 22 Oct 1999, Susan Alderman wrote: I'd vote for removing the CGI command - one of the things that analog has going for it is that it's simple to use, simple to set up. When you start getting into security issues like this, all of a sudden it's NOT simple to use/set up and people are liable to get bitten. (Admit it - how many people out there really read ALL the docs?) My point exactly. Thanks for your comments on this, Susan and others. My wife pointed out another option: to filter out all potentially-dangerous commands given on the command line, if CGI ON was specified. (Or probably, just to stop the program if one of those commands had been given, and CGI was ON). I'm sure this could be made to work. However, I still think that the neatest, and safest, solution is to remove the command CGI altogether. Then all the security issues can be devolved to anlgform. No-one has yet objected to this proposal. This is your last chance to do so! -- Stephen Turner[EMAIL PROTECTED]http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/ This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: [analog-help] CGI Error on NT IIS 4
On Mon, 25 Oct 1999, Stephen Turner wrote: (And you can't make the form interface work at all until you've read at least some of the documentation, so there is a much better chance that people will read it there!) Security through obscurity? :-) I understand the logic in having two seperate programs, and the design advantages it provides. But I also see how much people like the Web interface approach, and how confusing it currently is. (This is because people often find the concepts behind CGI confusing, rather than because anlgform itself is confusing). From a naieve users point of view, a single program that "magically" works as a web program with the flick of a switch is easier to grasp, I think. Whether it's good for them in the long run is a different question entirely :-) Aengus This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: [analog-help] CGI Error on NT IIS 4
Sorry, didn't mean to send my previous message with this subject to the list. -- Stephen Turner[EMAIL PROTECTED]http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: [analog-help] CGI Error on NT IIS 4
On Wed, 20 Oct 1999, Jeremy Wadsack wrote: Somewhat unorthodox and not recommended. Analog.exe is NOT a CGI program and will not behave right. You're a little out-of-date, Jeremy. In 3.9 you can make it work by including the command CGI ON. Then it will return the correct CGI headers. (Having said which, using the official Perl script is still much better). -- Stephen Turner[EMAIL PROTECTED]http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: [analog-help] CGI Error on NT IIS 4
I stand corrected. Thanks for the clarification, Stepehn. Also, here's the link to that binary, since that email never seemed to show up. For Aengus and anyone else trying the new beta on a Win32 system: I've posted an executable version of the form interface at http://www.wadsack-allen.com/digitalgroup/anlgform.zip (753k) Given the size, it probably won't make sense to bundle this with the Win32 binary package of 4.0 so I'm happy to continue hosting it there. To use this you MUST have the form interface in the same directory as the analog.exe. (Or more precisely, it expects to find analog.exe in the directory it resides in. This is the same problem that the last version had, though that was c:\analog\, but this may be something that can be worked around before release.) Stephen Turner wrote: On Wed, 20 Oct 1999, Jeremy Wadsack wrote: Somewhat unorthodox and not recommended. Analog.exe is NOT a CGI program and will not behave right. You're a little out-of-date, Jeremy. In 3.9 you can make it work by including the command CGI ON. Then it will return the correct CGI headers. (Having said which, using the official Perl script is still much better). -- Stephen Turner[EMAIL PROTECTED] http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/ -- Jeremy Wadsack Wadsack-Allen Publishing This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: [analog-help] CGI Error on NT IIS 4
Jeff Longland wrote: I'm currently attempting to run Analog 3.19B on an NT IIS 4 machine. I have taken a some what unorthodox method to run Analog. My ISP doesn't support Perl files, hence I can't use the CGI script to run Analog. So here's what I've done. I've placed analog.exe, analog.cfg and all the necessary language files in my cgi-bin. I then call analog.exe by going to myhost.com/cgi-bin/analog.exe. Analog will run and create my output file in the cgi-bin. But this brings me to the next problem - viewing the file! I can't view an html file in my cgi-bin. So I changed my output line in my config file to: OUTFILE e:\InetPub\Clients\myhost.com\stats.htm Then I go back and run analog.exe and I get the following error: The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: e:\InetPub\Clients\myhost.com\cgi-bin\analog.exe: Fatal error: failed to open output file e:\InetPub\Clients\myhost.com\stats.htm for writing: exiting (For help on all errors and warnings, see docs/errors.html) Somewhat unorthodox and not recommended. Analog.exe is NOT a CGI program and will not behave right. If Analog outputs anything you'll get the 'Misbehaved CGI' error or just a 500 Server Error otherwise you'll get a 'document contained no data'. For a Win32 executable version of the 3.90Beta1 form interface see my previous posting today. As for the error returned, Analog is run as IUSR_WWW (or similar) and unprivaledged user on the system. This user has only read access to most of the web area and execute access to the cgi-bin directory. IUSR_WWW never has write access to the system (you don't want people browsing your website to be able to write to the system!) so Analog can't create the output file. HTH, -- Jeremy Wadsack Wadsack-Allen Publishing This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/