This note regards the CGI web programs to interface to the web.
Patrick Fitzgerald wrote:
>Dave Regan wrote:
>>Note that this is a CGI program. I used to think the problems of
>>security with user written CGI programs was overstated. After looking
>>at a few other CGI programs I understand why administrators get worried.
>>So, please do not trust this or any other CGI program unless you have
>>a disposable machine or have one of *your* people look it over for
>>stupid errors. Now I don't expect that you will find any in these
>>programs, but you shouldn't trust my word. Note that if you
>>do find some problem, please let me know so that I can fix it.
>Well spoken - CGI security can be tricky. I've been modifying MailServ
>for several years now and I still find new ways to tweak it.
>That said, your script has a security hole big enough to drive a truck
>through. I'll send you a separate message to describe the problem.
>If anyone is using the script you might want to stop until Dave
> / _____ ) Patrick Fitzgerald Hewlett-Packard Company
> / ___) / /__ email@example.com Internet & System Security Lab
>(_/ it(_____) http://iquest.com/~fitz/ http://www.hp.com/
I want to thank Mr. Fitzgerald for pointing out the security mistake
that I made. I hate making those sorts of stupid errors.
Another user of the majordomo-users mailing list (whose name
has scrolled off my list) suggested that I make a web page for
this program, as there will be people who want the program sometime
*after* the message went by.
So, if you are interested in running the CGI program to interface
to majordomo (or just want to see an example usage), please look
Do not use the version which was sent out in this mailing list about
a week ago. It has a security problem.
If you have any comments or questions, feel free to drop me a note.