LiangTyan Fui wrote:
It is rather safe to use the "do" command here. I haven't come across
any crackers does xTalk, yet ;)
True, but when we take over the world you will change your mind. ;)
It is even safer if you:
set secureMode to true -- all access to file system and other system
resources is disabled.
if you don't really need to read/write files.
Good point. Tariel needs to write to files though.
My greater fear are the shell() command and the file path system. If you
pipe the parameter directly to the shell() command, you are in great
risk. Also, if you would allow the browser end to specify resources thru
the path name (like /myfolder/myfile.txt), the risk of exposing other
files will be there (cracker may specify something like
../../../known-system-file).
Right. I think if a CGI does that, the author gets what he deserves. For
most CGIs that I have seen, people want to do a specific task like this
one, writing data to a stack. I don't think there is much danger with
that, even if the stack is outside the CGI folder. There are no path
parameters involved -- that would be written into the CGI, so hackers
wouldn't even know the stack exists or what its file path is. I can't
see how it could be hacked.
MetaCard engine is rather safe to use as CGI. Just like php/perl/java.
It is the application that opens the loophole. I've got people hacked
into my development server via mambo* loophole (developed on php), I can
only blame myself on not getting mambo up to date, there is really
nothing to do with php and mysql.
Scott Raney talked about this once too. He agreed that MetaCard itself
is very safe as long as you don't do anything stupid with it. The engine
doesn't allow any misbehavior. To really do bad things, you have to
write the capability into your scripts.
--
Jacqueline Landman Gay | [EMAIL PROTECTED]
HyperActive Software | http://www.hyperactivesw.com
_______________________________________________
metacard mailing list
[email protected]
http://lists.runrev.com/mailman/listinfo/metacard
