Re: Re: Re: Matt's scripts strike again

But then you get into colos, where people are paying good money so they can run whatever they want on the servers they own, but are housed elsewhere. In some cases, the colo also offers a test server for their customers, which may be shared with many other customers. I doubt a customer would intentinally upload a malicious CGI since the colo will undoubtably have a large paper trail leading back to them, but there is plenty of room for ignorance.

The best solution here is to make sure each customer has a firewall covering all their equiptment. However, this may not be economical.

Beware that colos seem prone to great stupidity. In our move to our current colo, they told us we couldn't use SSH on their provided test server because it's "insecure" and we should use FTP instead. (We ended up buying a little more rackspace and a second server for testing so we could at least insulate ourselves from such madness).

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

: () { :|:& };:

Note: All code is untested, unless otherwise stated

Comment on Re: Re: Re: Matt's scripts strike again Download Code

Replies are listed 'Best First'.
Re: Re: Re: Re: Matt's scripts strike again by mr_mischief (Monsignor) on Dec 09, 2003 at 22:25 UTC
A firewall won't keep someone from using a CGI program to send mail. Also, if my colo company thought FTP to be more secure than SSH, I'd have to change colo companies. Christopher E. Stith	[reply]
Re: Re: Re: Re: Re: Matt's scripts strike again by hardburn (Abbot) on Dec 10, 2003 at 14:30 UTC
A firewall won't keep someone from using a CGI program to send mail. There are application-layer firewalls that would do it, but in practice, there isn't much you can do about that. if my colo company thought FTP to be more secure than SSH, I'd have to change colo companies. Agreed, but it wasn't my decision. ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `: () { :\|:& };:` Note: All code is untested, unless otherwise stated	[reply] [d/l]
The problems of working around problems by mr_mischief (Monsignor) on Dec 10, 2003 at 14:59 UTC
There are application-layer firewalls that would do it, but in practice, there isn't much you can do about that. True, but since you want to be able to use the program for its intended purpose -- to let people connect to the web server and have the program send out E?SMTP mail -- then your transport level or even application-level firewall would have to be configured very specifically. It would also have to be changed every time the program was to send to a new recipient with a different MX host. The extra load on both the machine and the admin would be a nightmare if you had a number of valid recipients in a number of different domains. So as you said, in practical terms, there's not much you can do. It's less work and cost to fix the problem in the program than to work around it with tools insufficient to properly address the problem. Christopher E. Stith	[reply]