Re: Re: ActivePerl setup and security issues

Wed, 13 Jun 2001 09:57:47 -0700 

And I would add, most of the security issues encountered thus far in any deployment 
I've been involved in has been with NT. Hotfixes, registry entries, services etc... 
all of which can be researched through MS Knowledge Base (i know that's off topic). I 
have heard of some people firing off a script by calling it with perl.exe in the query 
argument. Don't do that I guess. And of course make sure you have all of your group 
permission created and set correctly for directory accesses [cgi, cgi-bin, Perl, 
etc...](again off topic, last time).

Any other ideas?

Mark Bergeron

-----Original Message-----
From: "Cornish, Merrill"<[EMAIL PROTECTED]>
To: "'Young Fan'"<[EMAIL PROTECTED]>, "Mark Bergeron"<[EMAIL PROTECTED]>, 
[EMAIL PROTECTED]
Date: Wed Jun 13 08:38:16 PDT 2001
Subject: Re: ActivePerl setup and security issues

>
>
>-----Original Message-----
>From: Young Fan [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, June 13, 2001 10:16 AM
>To: Mark Bergeron; [EMAIL PROTECTED]
>Subject: Re: ActivePerl setup and security issues
>
>
>Thanks for the reply. We haven't even installed
>ActivePerl on the server yet. We run WinNT server, and
>our organization is part of a university, and hosts
>departmental sites. Developers in those departments
>have FTP access, and currently can use ColdFusion.
>We'd like to add support for Perl.
>
>Before making Perl available, we want to be aware of
>any security issues and how to resolve them. What
>needs to be done in terms of setup to prevent security
>problems. Example -- can exec() be disabled, and how?
>What other security precautions can and should be
>taken (and how)?
>
>Thanks!
>
>Young
>Young,
>
>Asking if Perl is "secure" is like asking if C++ or Visual Basic is secure.
>It's a general purpose programming langauge.  It can do general purpose
>programming, which includes all the good things and all the bad things in
>the world.
>
>Even if you manage to disable system() in Perl or C++ or whatever; what
>would that buy you?  The Perl program itself could do anything the program
>system() spawned off could do.  So, there seems to be something missing in
>what you are telling us.
>
>How to you currently control access to C, C++, Pascal, Fortran, Cobol,
>assembler, and whatever else you are running?
>
>Merrill
>

/~_. _ | _ _  _  _ 
\_/|(_||| | |(_)| |
     _|
___________________________________________________
GO.com Mail                                    
Get Your Free, Private E-mail at http://mail.go.com


_______________________________________________
Perl-Win32-Users mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-users

Reply via email to