Henry Reardon wrote:
A baddly written serverlet is always a security risk, however its a dam site harder to write a serverlet that will allow open access to your web site like a badly written perl script. For example
Tricking a perl script in to executing meta characters. Chrashing an entire web server, etc.
Dave
We are giving some thought to putting a CGI-based Wiki, specifically OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)', the authors warn that "The biggest cause for concern about protecting your site from external threats is CGI scripts." They go on to suggest various precautions that will reduce the risk.
This has me wondering if servlets are equally insecure or have a much stronger security model. I also have Jason Hunter's 'Java Servlet Programming (Second Edition)' which has a 30 page chapter on Security that details how various forms of authentication take place in servlets. However, I can't find any categorical statement that says servlets are actually any more secure than CGI.
I was wondering if someone with extensive experience with the security aspects of both servlets and CGI can give me any sense of which is more secure and why? I need this information so that we can choose the right approach for our wiki.
--- Henry
_________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
-- -- email [EMAIL PROTECTED] -- web www.pinan.co.uk --The opinions expressed in this article are personal and do not --represent the views of Pinan Software.
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
