W3C home > Mailing lists > Public > www-jigsaw@w3.org > May to June 1999

Re: How secure is jigsaw ?

From: Roland Mainz <Roland.Mainz@informatik.med.uni-giessen.de>
Date: Mon, 21 Jun 1999 19:53:00 +0200
Message-Id: <376E7BFC.464704AC@informatik.med.uni-giessen.de>
To: W3 Jigsaw Mailinglist <www-jigsaw@w3.org>
Yves Lafon wrote:

> > Some security related questions on jigsaw:
> >
> > - How secure is jigsaw under Unix and under WinNT ?
> > - Any known successfull/failed break-in attempts ?
> > - Any "common problems" in jigsaw security ?
> > - How to detect break-in attempts ?
> >
> > ----
>
> Of course no exhaustive checks has been done, but the main cause of
> attacks are buffer overflow, or trying to access forbidden files.
> Inside Jigsaw, there is no possibility to generate such overflow because
> of Java.
> No break-in attemps known yet (I checked all my logs to see strange
> things)
> Of course you have the problem of a malicious servlet or cgi, but that's
> webmaster responsability.
> When a connection starts, the server want to parse the first line, and if
> it is not a valid HTTP header, it will thow an exception and log a bad
> request (see log) with the bogus URI.
> Also, it is always safer to run a server as nobody (or another dummy user)
> in a chrooted environment.
> But I never heard of any security problem.

Are you sure that any kind of URL-hacking (e.g.
www.myhost.com/../../etc/passwd) won't be successfull ?

----

After all, if you think jigsaw is secure, then add this to jigsaw's webpages.
Good security is everytimes a wanted feature...

----

Bye,
Roland

--
  __ .  . __
 (o.\ \/ /.o)  Roland Mainz                               C programmer
  \__\/\/__/   Roland.Mainz@informatik.med.uni-giessen.de MPEG specialist
  /O /==\ O\   gisburn@w-specht.rhein-ruhr.de             Sun&&Amiga programmer
 (;O/ \/ \O;)  TEL +49 (0) 2426901568  FAX +49 (0) 2426901569
Received on Monday, 21 June 1999 13:53:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 April 2012 12:13:29 GMT