----- Original Message -----
From: "Mitch Pirtle" <[EMAIL PROTECTED]>
To: "Chris Berry" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, June 30, 2003 6:28 PM
Subject: Re: Ten least secure programs
> On Sat, 2003-06-28 at 18:08, Chris Berry wrote:
> > I'm putting together a list of what seem to be the ten least secure
computer
> > items in use today with the idea of having a set of things to recommend
> > AGAINST people using, probably to be posted on the IT room door with a
note
> > like "NO, you cannot use the following!!". Here is what I have so far,
I'm
> > looking for additions and comments. The list is in order from with the
> > worst offender being number one. These should be products whose
inheirent
> > design is flawed, not that are just difficult to secure. I expect
vigorous
> > discussion. *putting on flame retardent garments* Oh, and leave
Operating
> > systems out of this one.
> >
> > 1) Microsoft Outlook
> > 2) Telnet
> > 3) Sendmail
> > 4) IIS Server
> > 5) Wireless networking
> > 6) PHP
> > 7) ?
> > 8) ?
> > 9) ?
> > 10) ?
>
> 7) BIND
> 8) FrontPage
> 9) CGI (on a webserver, that is)
> and my all-time favorite,
How is CGI an insecure program? It's an interface, and actually, I'm not
aware of any security issues with this interface. If you mean that it
allows for a means for a user on a server with CGI access to do things,
that's true, but it shouldn't be an issue on a secured system and therefore
means CGI isn't (the) a security issue (at hand).
> 10) Anything that is labeled "hacker proof"
But... I'm hacker proof.
> Dude, I'm turning into David Letterman.
>
> Oh, IMNSHO, PHP isn't insecure, its the people using it.
...and the people coding it (PHP). Read the bugs and vulnerability lists
regarding issues with PHP if you think it's only the people coding insecure
programs that make PHP insecure (after all, that wouldn't qualify it as inse
cure)
> I could do
> just as much damage writing something in Perl, .NET, even HTML...
> Pretty much anything 'cept python ;^P
We're not talking about coding insecure scripts as the security issues,
which is why I wonder why you mentioned CGI (I assume you mean CGI
scripts?)... Anyway, HTML is not a programming language, and it's just HTML
tags being rendered and text, you can't write an insecure HTML page. That
would be the user's browser that would be exploitable due to that, unless
you think some silly Java, JavaScript or XSS thing means HTML is insecure.
--
Regards,
Tim Greer [EMAIL PROTECTED]
Server administration, security, programming, consulting.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
