Re: Re: Matt's scripts strike again

I really don't want to put words in Abigail-II's mouth, so I'll add my own. ;) I think that the point is that an ISP who allows its users to install CGI scripts from any source (including self-developed / written) without first reviewing the script is exposing themselves (and their clients) to security risks.

Today it may have been Matt's script. But how many times have we seen security-hole ridden code posted here along with questions, by folks other than Matt Wright? It happens all the time, and one can only assume that such code eventually finds its way onto some unsuspecting ISP's system. And for every example we see here, there are thousands that never are seen by anyone aside from the script-kiddie (or sub-par professional) who wrote them, until the damage is done.

Any ISP who allows user-written and user-installed scripts onto its servers without prior review (a time-consuming and costly process), or without operating it in an environment that prohibits it from bad behavior, probably has serious breeches lurking, that may be found eventually.

This is an unfortunate situation; a few bad apples ruin it for everyone. A substantial portion of ISP's have stopped allowing just anybody to post CGI scripts. This is a step in the right direction for security, and a step backward for the hobbiest, even if he/she produces secure code.

Dave

Comment on Re: Re: Matt's scripts strike again

Replies are listed 'Best First'.
Re: Matt's scripts strike again by Abigail-II (Bishop) on Dec 09, 2003 at 17:04 UTC
I really don't want to put words in Abigail-II's mouth, so I'll add my own. ;) I think that the point is that an ISP who allows its users to install CGI scripts from any source (including self-developed / written) without first reviewing the script is exposing themselves (and their clients) to security risks. Reviewing would be nice, but costly, and I don't think many people want to pay for it. The alternative is to put any site that wants to install their own CGI programs on either a dedicated box (which will cost more than $10/month of course), or you're put on a box with only sites that put their own CGI programs on box, and are told about the risks the others can do to you. Such boxes should have their bandwidth limited by a router (to prevent other hosts from becoming unreachable). SMTP traffic will only be allowed to at most a few other boxes (local to the ISP), in order to limit the number of outgoing messages per time unit. It won't prevent the box being used as a relay, but it will prevent it from becoming a big problem. Abigail	[reply]
Re: Re: Re: Matt's scripts strike again by hardburn (Abbot) on Dec 09, 2003 at 18:45 UTC
But then you get into colos, where people are paying good money so they can run whatever they want on the servers they own, but are housed elsewhere. In some cases, the colo also offers a test server for their customers, which may be shared with many other customers. I doubt a customer would intentinally upload a malicious CGI since the colo will undoubtably have a large paper trail leading back to them, but there is plenty of room for ignorance. The best solution here is to make sure each customer has a firewall covering all their equiptment. However, this may not be economical. Beware that colos seem prone to great stupidity. In our move to our current colo, they told us we couldn't use SSH on their provided test server because it's "insecure" and we should use FTP instead. (We ended up buying a little more rackspace and a second server for testing so we could at least insulate ourselves from such madness). ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `: () { :\|:& };:` Note: All code is untested, unless otherwise stated	[reply] [d/l]
Re: Re: Re: Re: Matt's scripts strike again by mr_mischief (Monsignor) on Dec 09, 2003 at 22:25 UTC
A firewall won't keep someone from using a CGI program to send mail. Also, if my colo company thought FTP to be more secure than SSH, I'd have to change colo companies. Christopher E. Stith	[reply]
Re: Re: Re: Re: Re: Matt's scripts strike again by hardburn (Abbot) on Dec 10, 2003 at 14:30 UTC
A firewall won't keep someone from using a CGI program to send mail. There are application-layer firewalls that would do it, but in practice, there isn't much you can do about that. if my colo company thought FTP to be more secure than SSH, I'd have to change colo companies. Agreed, but it wasn't my decision. ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `: () { :\|:& };:` Note: All code is untested, unless otherwise stated	[reply] [d/l]
The problems of working around problems by mr_mischief (Monsignor) on Dec 10, 2003 at 14:59 UTC