OT Cute filePro/Web applications

Fairlight fairlite at fairlite.com
Thu Mar 31 21:00:32 PST 2005 

On Thu, Mar 31, 2005 at 11:18:55PM -0500, after drawing runes in goat's blood,
Howie cast forth these immortal, mystical words:
> 
> The fpweb script does create two or three temp files in /tmp that do get
> chmod 666 so that filepro can read and write them.

Still not good.

> They are deleted when the script finishes.

And you assume this makes things safe?  Why?  (Rhetorical--if you don't
already know why it doesn't, you can't give a meaningful answer.)

> No one from the web has access to /tmp in any case.

And this stops a local data corruption or interception attack how, exactly?

> What is your problem?

If you don't know, then you're ignoring (or don't know) at least one basic
tenet of security.  I'll let your statements speak for themselves.

> I have over 50 web sites using fpweb, some since 1999 and none has ever been
> compromised by any attack although a close reading of the logs shows
> thousands of attempts.

Most of which were probably the same Windows-oriented attempts that -every-
server gets pegged with continuously, no matter what platform the web
server is actually running.  That proves absolutely nothing.

It will only take -one- local user reading data to which they shouldn't
have access, or munging the data in a race condition.  Eventually you may
be bitten, and you will then learn the value of secure file modes the hard
way.

'Lucky' ne 'Well Prepared'

> More to the point, what did you think of my applications?

I didn't look at them.  I have already seen fPWeb employed on some of your
customers' machines and have had a close enough look to know you use some
interesting techniques--but nothing that can't be (and hasn't been) based
on more secure code.

I was wondering if you had gotten around to fixing underlying security
issues in the instructions and code that people have been using for years.
That was my only point.  Since you felt it was worth mentioning that they
utilise fPWeb, I felt it was worth asking if the underlying security 
issues had been addressed by this point in time.  Considering I take
security very seriously and I also have a web product (no great secret in
either case), it's a fair enough question for comparative analysis, IMHO.

> Remember. Brian White is our sysadmin - he does not allow anything that
> might be dangerous to occur on our or our clients servers.

If Brian considers 666 files acceptable security, I'll let that speak
for itself as well.  

I would suggest you (and he) have a read over the articles at
http://www.fairlite.com/fc/articles/ regarding both CGI security and unix
filesystem permissions.  They may prove educational.

Bests,

mark->
-- 
          *****   Fairlight Consulting's Software Solutions   *****
OneGate Universal CGI Gateway:                  http://onegate.fairlite.com/
FairPay PayPal Integration Kit:                 http://fairpay.fairlite.com/
RawQuery B2B HTTP[S] Client & CGI Debugger:     http://rawquery.fairlite.com/
Lightmail Mail Sending Agent:                   http://lightmail.fairlite.com/

More information about the Filepro-list mailing list