This note regards the CGI web programs to interface to the web.
Patrick Fitzgerald wrote:
>Dave Regan wrote:
>>Note that this is a CGI program. I used to think the problems of
>>security with user written CGI programs was overstated. After looking
>>at a few other CGI programs I understand why administrators get worried.
>>So, please do not trust this or any other CGI program unless you have
>>a disposable machine or have one of *your* people look it over for
>>stupid errors. Now I don't expect that you will find any in these
>>programs, but you shouldn't trust my word. Note that if you
>>do find some problem, please let me know so that I can fix it.
>Well spoken - CGI security can be tricky. I've been modifying MailServ
>for several years now and I still find new ways to tweak it.
>That said, your script has a security hole big enough to drive a truck
>through. I'll send you a separate message to describe the problem.
>If anyone is using the script you might want to stop until Dave
>fixes it.
>--
> ________
> / _____ ) Patrick Fitzgerald Hewlett-Packard Company
> / ___) / /__ fitz@iquest.com Internet & System Security Lab
>(_/ it(_____) http://iquest.com/~fitz/ http://www.hp.com/
I want to thank Mr. Fitzgerald for pointing out the security mistake
that I made. I hate making those sorts of stupid errors.
Another user of the majordomo-users mailing list (whose name
has scrolled off my list) suggested that I make a web page for
this program, as there will be people who want the program sometime
*after* the message went by.
So, if you are interested in running the CGI program to interface
to majordomo (or just want to see an example usage), please look
at:
http://www.peak.org/peak_info/mlists/Majordomo.html
Do not use the version which was sent out in this mailing list about
a week ago. It has a security problem.
If you have any comments or questions, feel free to drop me a note.
Dave Regan
regan@peak.org
|
|
