-----BEGIN PGP SIGNED MESSAGE-----
Date: Tue, 17 Sep 1996 20:18:40 -0400 (EDT)
From: "Mr. Jolt Cola" <msmith @
quix .
robins .
af .
mil>
Subject: Re: Newbie question
> From my point of view (having written all 10k lines of the CGI) I
> see no way for anyone to exploit the CGI stuff. It is all C++
> code with no server side parsing. I do have one module which
> does a pipe/fork/exec on a full path binary (/oracle/bin/sqlplus) and
> prefilters the SQL query to catch any shell commands, but at the risk
> of sounding cliche' I can almost guarantee there is no way of breaking
> it (almost+guarantee = oxymoron). This is the only module that
> interacts at the OS level, the rest of them only deal directly with
> ORACLE.
> Are there some things I should maybe look for? I was thinking most
> problems with CGI were due to shell/scripting languages that did ENV
> variable expansion and command subsitution. Since I dont do this, I
> should be safe, right? :)
I have one question. Is the data in the database at all important?
If so, can someone using the script modify the data? Can someone
open the SQL port without going through your shell scripts/c++
programs?
I'd check for these things. I'm sure that some of the places that do
stock quote lookups and the like have dealt with these issues
already, as they most likely do use a database of some sort, and an
SQL database is entirely likely.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMklBVJiFpljvgeohAQEOkQP+PHQxJq5t7CyrxrxRXtzGaSzQdf5kQhPD
K2xu4+zj59hB19QJEcXm19LFiyxc50YzQDhplvBhpeEfWM88AP4YvZ49JSzFo9JA
U9klj6FsN0NFmbK209V0SR1TmtcV9RtWC2b4rXBMMHlCedWovzVfFx6oIDKQwhzP
HC8S5HD6ciQ=
=JWpe
-----END PGP SIGNATURE-----
Rachel Rosencrantz <rachelr @
pobox .
com> http://www.armory.com/~rachelr
|
|
