-----BEGIN PGP SIGNED MESSAGE----- On Sat, 9 Mar 1996, Dan Cross wrote:
This is an interesting idea, though I think a really really insecure one. What's keeping someone from posting ``trojan web pages'' and then waiting for the pages to be soaked up by servers? Something that says ``click <here> to see the /etc/passwd file for this site!'' which runs some funky CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy super wiz-bang gadget!'' or the like is a really scary, but very real, possibility if great care is not taken in setting this kind of thing up. News servers, on the other hand, don't suffer from this problem because the data which they contain is much more passive in nature (at least, while in the spool..) than HTML.
The obvious fix would just be to disallow the use of CGI scripts in anonymous web pages. In order for a file to be designated a CGI script, the must be explicitly specified as such in the httpd configuration. The web is every bit as passive as Usenet. The only difference is you can't make a program that will execute on the NNTP server everytime it is retrieved (which would be the Usenet equivalent of CGI). - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUN0ybZc+sv5siulAQGlSAP+N+4Cm0PVcU3zU0WQC6O7m/JXQQJA5RuP dF4/b1OhB8iGeT41PFZhJ/XL94KjKRwmA8TptPThaUKjbJ9feYj6ixm6LvT0xyRY kGDKQkCF4wi3hHlVAw8ADembUw5+gQlNe3xrqnNsXPoZ5FDBpqHqQjFlPOiQhDbV +lR85iyPbRI= =/G3y -----END PGP SIGNATURE-----