Re: [Nms-cgi-devel] World r/w able files and directories

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Feb 14, 2002 at 09:02:04AM -0800, Wizard wrote:
> > - putting all possible world r/w files below the document root (or
> >   above, depending how you see this)
> This would only work for the .txt files. The HTML must be under the docroot.

Yes I know. But the less r/w files exposed, the better, no? Or is this a
false sense of pseudo security?

And what about the directories? I've heard of an exploit using something
like ../../../../../../../../../../../tmp as cgi-input to gain write
access to a machine. Again, I'm not a security expert and I don't know
any methods of gaining access to a machine, but it seems to me that the
more holes plugged, the better.

Thanks for the opinion. I'm trying to get a better feel for security and
this is helping me a lot. And who knows, might help the project too :o)

-Olivier

-- 
+----------------------------------------------+
| Olivier Dragon        dr...@sh... |
| Software Engineering II, McMaster University |
+----------------------------------------------+