Quoting Eric Moore <suppressed>:
> > Randall Swartz said something to the effect of "you shouldn't let anyone
> > know what you are using for cgi". He was speaking of using extensions to
> > file names like ".pl".
>
> Security through obscurity?
Security through obscurity is only bad if it is the only means of security. It
can be useful to deflect an attack if it is not obvious what the underlying
technology is (especially since there are so many ripe targets out there).
What if there was a known exploit for PHP, or ColdFusion, or perhaps for a
specific commonly used script (Matt's script archive anyone). A cracker might
scrape the web looking for specific files to find potential servers to attack.
If all your programs use the standard .cgi extension, then your server may be
skipped. Of course one shouldn't be running vulnerable apps or scripts in the
first place!
> Doesn't really matter what one is using for cgi if you don't validate /
> examine everything that is returned from a browser (session_ids, uploaded
> files, parameter values).
Agreed. Never trust anything coming from the user. All other security measures
are pretty much useless if you don't follow that rule.
Cheers,
Cees
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.