In a previous thread, Charles Steinkuehler wrote:
>
> P.S. Nifty solution to the weblet logs issue coming as soon as I come up
> with one and can test it. I'll probably just fix the viewlogs cgi script,
> which is intentionally paranoid about which files it allows to be accessed
> (weblet logs should also be rotated and added as links to the main weblet
> page). It can be real easy to create gaping security holes (from simple
> ../../ expansions to shell meta-character expansion vunerabilities) in
> conventional web-servers, much less one written in shell-script...I've tried
> to close as many holes as possible, although I'm sure there are still a
> number of potential vunerabilities if anyone cares enough to try and find
> them, but that can make some things a bit harder than it seems like they
> should be at first glance...
It should be noted, on these security issues, that the meta-character
issue needs a rigorous going-over.
In some of my logs, I have this string often repeated:
==>
Here is how that same string appears in the weblet view:
=>gt;
This ought to be covered by some transliteration routine, such as done
by Perl's CGI.pm.
I'm sure there are other issues. I'm starting this new thread in hopes
of gathering other questionable weblet behaviours from ardent users.
Once we know where shoring up needs to be done, I'm sure our community
will step up to the challenge ;>
What do you think?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
