On January 26, 2012 13:51 , Doug McNutt <dougl...@macnauchtan.com> wrote:
At 09:56 -0500 1/26/12, Mark Montague wrote, and I snipped a bunch:
On January 26, 2012 2:50 , Tarzan
Jane<mailto:lapierr...@hotmail.com><lapierr...@hotmail.com> wrote:
Concerning the security I believe when using binary scripts, security is
increased some levels. Since the cgi binaries are no longer acsii files,
injecting or altering code is hardly possible.
If you use binary executable instead of interpreted scripts, it's true that you
eliminate some security concerns. [...] However, there are still many security
concerns which still exist. And there are types of attacks that binary
executables are *more* vulnerable to than scripts -- for example, buffer
overflow and/or stack smashing attacks.
What about cgiwrap ? Is it still supported? Can it do the job? I know it's
not a perfect solution but at least it's an attempt.
cgiwrap (and suexec) can handle changing to a different user. It's main
benefit are that it can choose which user to change to based on which
CGI is requested. In a situation where you are only changing to one
other user (root), benefits of cgiwrap are minimal -- mainly sanitizing
the environment and performing some pre-execution sanity checks. Using
cgiwrap won't protect against security flaws in the CGI itself (lack of
input sanitation, buffer overflows, race conditions, etc.)
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
