Joe wrote: > Since the CGI is being accessed by the system administrator, your remark > about the "user" being able to plug in any host name is plain silly. If > they've got access to the CGI you're ALREADY compromised. Besides, from > the shell I've got MORE than enough rope to hang myself. If I'm trying to > administer a remote machine over the web I want that same length of rope. I can find nothing in the article suggesting that access to the CGI should be restricted, let alone saying how you might do that. Regardless, it is so easy to secure the scripts properly, there is no excuse for not doing it, no matter how secure you think the rest of the setup is. Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: benat_private | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:11 PDT