Next-in-Thread Next-in-Thread
 Next Message Next Message

Respond to: Client-Side Scripting on the Web & Security 

Forum: CCI for Perl
 Re: The First Response (Ed Burns)
Re: What are the security implications with CCI? (Eliot Lear)
Re: Second the question on security (Stan Letovsky)
Re: Client-Side Scripting on the Web & Security (letovsky@gdb.org)
Date: 1995, Jan 18
From: Dave Thompson 

Stan said:
|Mosaic launch a Perl/Tcl/whatever interpreter in response to the
|appropriate MIME type, one is fair game for any malicious or bumbling
|scripter who happens to put some bad code onto the Web. In Perl, for
|example, one could easily write an "rm -R *" script that would then
|execute with the privileges of the Mosaic user.

I think it's easier than that.  You could just send over an "rm -R *"
executed by the /bin/sh.  One has always had the capability to add a handler 
for csh, sh, Perl, Tcl, Python, ILU, etc. as external viewers.  The default 
mailcap doesn't have interpreter external viewer for the very reason that it 
is very dangerous.  User's add this at their own peril.

However, I don't think this has anything to do with CCI, or the Pearl
interface to the CCI.  I think there is a misunderstanding here of what
the CCI in NCSA Mosaic 2.5beta is.  The Pearl interface is for the *client*
side API (Mosaic is the server).   Mosaic does not contain an interpreter.

 Next-in-Thread Next-in-Thread
 Next Message Next Message
Inline:
 1 1
 All All
 Outline:
 1 1
 2 2
 All All

1 CCI & Security by letovsky@gdb.org, 1995, Jan 18
(_ Re: CCI & Security by adrianh@cogs.susx.ac.uk, 1995, Jan 19
(_ My response by @142.36.93.21, 1995, Apr 12

 Add Add
 to: "Respond to: Client-Side Scripting on the Web & Security"

 Members Members
 Subscribe Subscribe
 Admin Mode Admin Mode
 Show Frames Show Frames
 Help Help

Earn money with Scour!
Google
 
Web www.HyperNews.org
Earn money with Scour!