On Sun, 10 Mar 1996, Mark M. wrote:
On Sat, 9 Mar 1996, Dan Cross wrote:
This is an interesting idea, though I think a really really insecure one. What's keeping someone from posting ``trojan web pages'' and then waiting for the pages to be soaked up by servers? Something that says ``click <here> to see the /etc/passwd file for this site!'' which runs some funky CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy super wiz-bang gadget!'' or the like is a really scary, but very real, possibility if great care is not taken in setting this kind of thing up. News servers, on the other hand, don't suffer from this problem because the data which they contain is much more passive in nature (at least, while in the spool..) than HTML.
The obvious fix would just be to disallow the use of CGI scripts in anonymous web pages. In order for a file to be designated a CGI script, the must be explicitly specified as such in the httpd configuration. The web is every bit as passive as Usenet. The only difference is you can't make a program that will execute on the NNTP server everytime it is retrieved (which would be the Usenet equivalent of CGI).
Doesn't solve the problem completely, or even the individual example given above.
From your public html directory, try 'ln -s /etc/passwd passwords.txt'.
Then add a link to your homepage.... Jon ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser@rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA.