At 07:24 PM 10/22/1999 +0100, you wrote:
>It seems to me, as I explained before, that this is a serious security
>risk. Of course, I can warn people about it, but they won't necessarily
>know, or be able to find out easily, whether their server is an at-risk one.
>Or even read the instructions.
>
>At this moment, I'm minded to remove the CGI command from analog altogether,
>and only allow CGI access via anlgform.pl. This is in some ways less
>convenient, but I don't think I can advertise a feature when it's very
>likely to be set up as a security risk.
I'd vote for removing the CGI command - one of the things that analog
has going for it is that it's simple to use, simple to set up. When
you start getting into security issues like this, all of a sudden
it's NOT simple to use/set up and people are liable to get bitten.
(Admit it - how many people out there really read ALL the docs?)
Thanks,
Susan
Susan Alderman [EMAIL PROTECTED]
Box 1885 vox: 401-863-9466
CIS, Brown University fax: 401-863-7329
Providence, RI 02912
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------
