Firewall Wizards mailing list archives
Re: Web Site Hacks
From: Steven Bellovin <smb () research att com>
Date: Fri, 05 Dec 1997 07:24:10 -0500
At 09:10 PM 12/2/97 GMT, Edward Cracknell wrote: >Web Site Hacks: ... snip ... >Assuming the Web server is behind the firewall and only http is allowed: > > ... snip ... Other have commented on the specific issues Edward raised, like creating the telnet link, dns. What's more interesting is just because your web-server is behind a firewall, or in a DMZ doesn't mean it's safe. Web servers have a history of susceptibilities to things like buffer overruns, etc., which protecting them in blue or green nets doesn't stop. I'm not willing to say that all popularly used web servers are 100% guaranteed to be breach proof. There's something worse: CGI scripts. Firewalls work because of what they don't run. They don't run most protocols, and hence most programs. But CGI scripts *are* programs, and a typical glitzy Web server is running several dozen of these at the very least. And it doesn't take a very long look at the CERT advisories and the BUGTRAQ archives to really how many buggy CGI scripts have been published and distributed. Web servers are among the most dangerous critters out there. You really want to protect your major assets from them, because they *will* be penetrated.
Current thread:
- Re: Web Site Hacks, (continued)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks Aleph One (Dec 06)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks David Kennedy (Dec 08)
- Re: Web Site Hacks Paul McNabb (Dec 09)
- Re: Web Site Hacks shimons (Dec 11)
- Re: Web Site Hacks Paul McNabb (Dec 11)
- Re: Web Site Hacks Joseph S. D. Yao (Dec 11)