Re: Re[2]: [analog-help] CGI Error on NT IIS 4
On Fri, 22 Oct 1999, Susan Alderman wrote: > > I'd vote for removing the CGI command - one of the things that analog > has going for it is that it's simple to use, simple to set up. When > you start getting into security issues like this, all of a sudden > it's NOT simple to use/set up and people are liable to get bitten. > > (Admit it - how many people out there really read ALL the docs?) > My point exactly. Thanks for your comments on this, Susan and others. My wife pointed out another option: to filter out all potentially-dangerous commands given on the command line, if CGI ON was specified. (Or probably, just to stop the program if one of those commands had been given, and CGI was ON). I'm sure this could be made to work. However, I still think that the neatest, and safest, solution is to remove the command CGI altogether. Then all the security issues can be devolved to anlgform. No-one has yet objected to this proposal. This is your last chance to do so! -- Stephen Turner[EMAIL PROTECTED]http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: Re[2]: [analog-help] CGI Error on NT IIS 4
- Original Message - From: Stephen Turner <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 25, 1999 10:08 AM Subject: Re: Re[2]: [analog-help] CGI Error on NT IIS 4 > I'm sure this could be made to work. However, I still think that the > neatest, and safest, solution is to remove the command CGI altogether. Then > all the security issues can be devolved to anlgform. All I have to say is Java, and servlets. Although it is appreciated that you provide such excellent support for soon-to-be legacy software architectures! Please, no flames, I'm just adding to the wish-list. cheers, Simon This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: Re[2]: [analog-help] CGI Error on NT IIS 4
At 07:24 PM 10/22/1999 +0100, you wrote: >It seems to me, as I explained before, that this is a serious security >risk. Of course, I can warn people about it, but they won't necessarily >know, or be able to find out easily, whether their server is an at-risk one. >Or even read the instructions. > >At this moment, I'm minded to remove the CGI command from analog altogether, >and only allow CGI access via anlgform.pl. This is in some ways less >convenient, but I don't think I can advertise a feature when it's very >likely to be set up as a security risk. I'd vote for removing the CGI command - one of the things that analog has going for it is that it's simple to use, simple to set up. When you start getting into security issues like this, all of a sudden it's NOT simple to use/set up and people are liable to get bitten. (Admit it - how many people out there really read ALL the docs?) Thanks, Susan Susan Alderman [EMAIL PROTECTED] Box 1885vox: 401-863-9466 CIS, Brown University fax: 401-863-7329 Providence, RI 02912 This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: Re[2]: [analog-help] CGI Error on NT IIS 4
On Fri, 22 Oct 1999, Stephen Turner wrote: > On Thu, 21 Oct 1999, Aengus Lawlor wrote: > > > > The documentation says of CGI ON that "You can't choose any options that > > way though". This isn't my experience. I just typed in the following URL > > > > http:///analog/analog.exe?c:\logs\jun.log+c:\logs\jul.log+%2bC"H > > OSTNAME+Test"+%2bO-+%2bC"CGI%20ON" > > > > and got a report for the two logs specified, and with the specified > > hostname. > > Hmmm. It looks as if your server is passing those arguments in on the > command line. I didn't think that was normal behaviour, but I'll check on > my Apache this evening. > > In this case, it's a serious security risk. The anlgform.pl filters out > certain dangerous arguments. For example, if someone specified HEADERFILE in > your example, they could view any file on the system. Don't keep it there! > OK, as far as I can see Apache doesn't pass the arguments. Is this IIS doing this? It seems to me, as I explained before, that this is a serious security risk. Of course, I can warn people about it, but they won't necessarily know, or be able to find out easily, whether their server is an at-risk one. Or even read the instructions. At this moment, I'm minded to remove the CGI command from analog altogether, and only allow CGI access via anlgform.pl. This is in some ways less convenient, but I don't think I can advertise a feature when it's very likely to be set up as a security risk. In fact, it's worse than that. Even if people don't ever find the CGI command, they still sometimes put analog.exe in their CGI directory, thinking it's somehow a CGI script [*], and they would still be vulnerable to this exploit. Does anyone have any comments on this proposal (to disable the CGI command), for or against? [*] I've even had people write to me very confused because they tried to open analog.exe in a text editor, and it doesn't look like a CGI (presumably meaning Perl) script. -- Stephen Turner[EMAIL PROTECTED]http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
Re: Re[2]: [analog-help] CGI Error on NT IIS 4
On Thu, 21 Oct 1999, Aengus Lawlor wrote: > > The documentation says of CGI ON that "You can't choose any options that > way though". This isn't my experience. I just typed in the following URL > > http:///analog/analog.exe?c:\logs\jun.log+c:\logs\jul.log+%2bC"H > OSTNAME+Test"+%2bO-+%2bC"CGI%20ON" > > and got a report for the two logs specified, and with the specified > hostname. Hmmm. It looks as if your server is passing those arguments in on the command line. I didn't think that was normal behaviour, but I'll check on my Apache this evening. In this case, it's a serious security risk. The anlgform.pl filters out certain dangerous arguments. For example, if someone specified HEADERFILE in your example, they could view any file on the system. Don't keep it there! -- Stephen Turner[EMAIL PROTECTED]http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
