[Date Prev]   [Date Next] [Thread Prev]   [Thread Next] [Date Index]   [Thread Index]

 

     Re: [nocol-users] security problems with webnocol.cgi, genweb.pl,notifier.pl, etc.

> 
> Are there specific security problems you've noted with webnocol.cgi or
> are you just nervous because it's not running in taint mode? genweb.pl
> and notifier.pl are only run by cron and should therefore be in your
> total control.

	I have to admit, I worry that any script which generates
	many warnings when run with -w has not been throughly
	tested.  genweb.pl and notifier.pl certainly fit the bill.
	So even if they're only being run by cron, they could be
	tightened.

	As far as webnocol.cgi goes, it will happily execute whatever
	the subcommand field in the GET/POST request tells it to
	execute! Not verifying user input is scary enough, but to
	take an arbitrary command that they provide and execute it
	is just plain foolhardy.

	The onion perspective on security applies here. If a black
	hat is able to circumvent my web server's protections and
	call webnocol.cgi unexpectedly, he should find another
	layer of protection, not a wide open entry point.

		Scott