> First of all, let me say that this is IMO not a newbie question. Its
> a good question that's not easy to answer. A lot of it depends on
> what kinds of assets you're trying to protect and your specific concerns
> are w.r.t. data integrity, and host security.
Ok, thanks. I'm an old hand at joining discussion groups and I'm sure
you all know how established mailing lists can be, flaming newcommers for not
reading the archives, etc. and I appreciate that this didn't happen
here.
> I've given some thought to the following:
>
> [Internet]---[FWALL]----[Company Net]---[SQL Server]
> |
> |---------------|
> [Webserver]---[CGI server]
>
> The above has a single cgi on the webserver that opens connections
> to a CGI server machine and executes the real CGI executables/scripts
>From my point of view (having written all 10k lines of the CGI) I
see no way for anyone to exploit the CGI stuff. It is all C++
code with no server side parsing. I do have one module which
does a pipe/fork/exec on a full path binary (/oracle/bin/sqlplus)
and prefilters the SQL query to catch any shell commands, but
at the risk of sounding cliche' I can almost guarantee there is
no way of breaking it (almost+guarantee = oxymoron). This is the
only module that interacts at the OS level, the rest of them only
deal directly with ORACLE.
Are there some things I should maybe look for? I was thinking most
problems with CGI were due to shell/scripting languages that
did ENV variable expansion and command subsitution. Since I dont
do this, I should be safe, right? :)
Melvin
|
|
