On Thu, Sep 30, 2004 at 02:55:45PM -0400, Rhino wrote: : We are giving some thought to putting a CGI-based Wiki, specifically OddMuse, : on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)', : the authors warn that "The biggest cause for concern about protecting your : site from external threats is CGI scripts." They go on to suggest various : precautions that will reduce the risk. : : This has me wondering if servlets are equally insecure or have a much stronger : security model.
The authors of that book may have said "CGI" but what they probably meant, in a larger scheme, was "executables and other server-side dynamic content." Web servers that only dish out static content are tougher to crack (in a certain sense) because they have a fairly rigid set of permissible values: either the specified file exists under the doc root, or it doesn't. Executables and other server-side dynamic content( CGI, servlets/JSPs, PHP, etc) permit end-users to interact with the server in a different way: they must process user input, and in doing so, watch out for malformed values. So, other than a denial-of-service attack caused by flooding a CGI-based service with requests (i.e. filling the process table as each httpd process fork()s to spawn a new CGI child), there's not a whole lot of difference between CGI, PHP, Java, etc. : However, I can't find any : categorical statement that says servlets are actually any more secure than : CGI. See above. ;) : I was wondering if someone with extensive experience with the security aspects : of both servlets and CGI can give me any sense of which is more secure and : why? I need this information so that we can choose the right approach for our : wiki. See above. ;) -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]