You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Stas Bekman <sb...@stason.org> on 2000/06/06 19:00:06 UTC

Vulnerability awareness (was: Re: FW: Apache::Dispatch)

Folks let me stress a little point (or a big, depending on how you look at
this), I'm in no way try to discourage Geoff for creating yet another cool
module. It's just that lately I read too much info about sites being
hacked thru bugs in CGI code. Here is a must read, if you didn't read it
yet. 

  System Administration, Networking and Security (SANS) Institute
  published a list of exploits most often used to gain illegal access to
  network servers.
  http://www.sans.org/topten.htm

Vulnerable CGI programs are on the 2nd place of the topten exploits!!!
Vulnerable CGI programs are on the 2nd place of the topten exploits!!!
Vulnerable CGI programs are on the 2nd place of the topten exploits!!!

No, it's not a typo, I repeated it for you to pay attention.

Now you understand why I'm against modules, that in hands of clueless and
careless users will turns into trojan horses and alike, causing
Perl/mod_perl/Apache projects at separate or all together to be blamed for
no reason. It's a known fact that with Perl you can shoot your toes off,
but I don't see a reason to replace this gun's trigger with a sensor
button.

It's a time for a challenge!!!

Check the vulnerability of the Apache:: modules, before the bad guys will. 
Sounds like a really cool idea to learn the CGI security with! It should
be very exciting to go to all those hacker sites, learn the known exploit
and break in techniques, and than to try to apply them to Apache::
modules. Of course doing that at home, so you won't be put in jail.

If you take the challenge and spot vulnerabilities, I personally promise
to post your name(s) on the perl.apache.org as a honorable ghostbuster!!!

So we've got the name for the project already 'mod_perl ghostbusters' :) 
Now are there fearless people in our tribe? That's the question... 

_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide 
mailto:stas@stason.org   http://perl.org     http://stason.org/TULARC
http://singlesheaven.com http://perlmonth.com http://sourcegarden.org