rst at ai
Apr 17, 1995, 6:19 PM
Post #7 of 10
Depending on your Joe.Users, some of them very well might have malicious
intent (American undergrads are famous for this), and whatever policies
a local site has should take this into account. Aside from this, the
major security concern is, say, Joe.User writing a script in shell because
it's something he knows, without taking the *extreme* care you need to
keep requests which include shell metacharacters from handing a potential
attacker the keys to the kingdom.
(An early version of a fairly widely-distributed archie-gateway CGI script
was written in shell. I was able to fabricate a request to this thing
which would give me an xterm running on the server --- I only used this on
my own machine, of course, and mainly as incentive to rewrite the version
of the thing running locally in Perl).