Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Essential CGI Security Practices

by footpad (Monsignor)
on Feb 03, 2002 at 06:20 UTC ( #143034=note: print w/ replies, xml ) Need Help??


in reply to Essential CGI Security Practices

And I would add:

  • Don't accept more than is absolutely necessary. Example: MSA's formmail.pl can be used as a spam relay because it accepts recipient as a CGI parameter. Don't do that.

    Only accept the minimum number of parameters you need.

  • Don't trust anything from the client--period. I've seen cases where CGI scripts claim to be secure because they check REFERER, which is trivial to spoof.

  • Don't ever use a script that tells you to chmod a publically accessible file to 777 (Example: here).

  • Be highly suspicious of code that's been updated one or fewer times in the last several years. (Theory: No one was defending against DoS attacks in 1996.)

Not that I'm picking on anyone, of course. However, I have been helping a buddy run down various spammers that are playing on his system. Guess where the currently identified problems have come from?

--f


Comment on Re: Essential CGI Security Practices

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://143034]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (8)
As of 2014-07-30 12:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (231 votes), past polls