Firewall Wizards mailing list archives
Re: Web Site Hacks
From: Chad Schieken <cschieke () advsys com>
Date: Fri, 05 Dec 1997 13:30:44 -0500
The question I wrestle with every day is how to protect the webservers from themselves (CGI, NSAPI, server plugins, etc). It's been my experience that most of the web applications being developing take very few steps to protect themselves. My solution has been individual reviews of each app. This is hugely expensive, and not reliable (IMHO). But what alternatives are their? Even putting the "perfect" firewall in front of the webserver doesn't protect it from the biggest liability, itself. I think the webservers need to implement some sort of sanity checking of input to the various server side applications, like CGI, or server plugins, etc. Has anyone ever seen this even considered in any webserver?
There's something worse: CGI scripts. Firewalls work because of what they don't run. They don't run most protocols, and hence most programs. But CGI scripts *are* programs, and a typical glitzy Web server is running several dozen of these at the very least. And it doesn't take a very long look at the CERT advisories and the BUGTRAQ archives to really how many buggy CGI scripts have been published and distributed. Web servers are among the most dangerous critters out there. You really want to protect your major assets from them, because they *will* be penetrated.
Current thread:
- Re: Web Site Hacks, (continued)
- Re: Web Site Hacks -= ArkanoiD =- (Dec 03)
- Re: Web Site Hacks Daniel Garcia (Dec 03)
- Re: Web Site Hacks Nick Drage (Dec 04)
- Re: Web Site Hacks Michael Kyle (Dec 04)
- RE: Web Site Hacks Denis Gordon (Dec 03)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 04)
- Re: Web Site Hacks Bruce B. Platt (Dec 04)
- Re[2]: Web Site Hacks Edward Cracknell (Dec 05)
- Re: Web Site Hacks Steve Gibbons (Dec 05)
- Re: Web Site Hacks Steven Bellovin (Dec 05)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks Aleph One (Dec 06)
- Re: Web Site Hacks Chad Schieken (Dec 05)
- Re: Web Site Hacks David Kennedy (Dec 08)
- Re: Web Site Hacks Paul McNabb (Dec 09)
- Re: Web Site Hacks shimons (Dec 11)
- Re: Web Site Hacks Paul McNabb (Dec 11)
- Re: Web Site Hacks Joseph S. D. Yao (Dec 11)