Re: Web Site Hacks

[Steven Bellovin <smb () research att com>]

         At 09:10 PM 12/2/97 GMT, Edward Cracknell wrote:
         >Web Site Hacks:
         
         ... snip ...
         
         
         >Assuming the Web server is behind the firewall and only http is allowed:
         >
         >
         
         ... snip ...
         
         Other have commented on the specific issues Edward raised,
         like creating the telnet link, dns.

         What's more interesting is just because your web-server is
         behind a firewall, or in a DMZ doesn't mean it's safe.  Web
         servers have a history of susceptibilities to things like
         buffer overruns, etc., which protecting them in blue or green
         nets doesn't stop.

         I'm not willing to say that all popularly used web servers are
         100% guaranteed to be breach proof.

There's something worse:  CGI scripts.

Firewalls work because of what they don't run.  They don't run most
protocols, and hence most programs.  But CGI scripts *are* programs,
and a typical glitzy Web server is running several dozen of these at
the very least.  And it doesn't take a very long look at the CERT
advisories and the BUGTRAQ archives to really how many buggy CGI scripts
have been published and distributed.

Web servers are among the most dangerous critters out there.  You really
want to protect your major assets from them, because they *will* be
penetrated.