- From: Roland Mainz <Roland.Mainz@informatik.med.uni-giessen.de>
- Date: Mon, 21 Jun 1999 19:53:00 +0200
- To: W3 Jigsaw Mailinglist <www-jigsaw@w3.org>
Yves Lafon wrote: > > Some security related questions on jigsaw: > > > > - How secure is jigsaw under Unix and under WinNT ? > > - Any known successfull/failed break-in attempts ? > > - Any "common problems" in jigsaw security ? > > - How to detect break-in attempts ? > > > > ---- > > Of course no exhaustive checks has been done, but the main cause of > attacks are buffer overflow, or trying to access forbidden files. > Inside Jigsaw, there is no possibility to generate such overflow because > of Java. > No break-in attemps known yet (I checked all my logs to see strange > things) > Of course you have the problem of a malicious servlet or cgi, but that's > webmaster responsability. > When a connection starts, the server want to parse the first line, and if > it is not a valid HTTP header, it will thow an exception and log a bad > request (see log) with the bogus URI. > Also, it is always safer to run a server as nobody (or another dummy user) > in a chrooted environment. > But I never heard of any security problem. Are you sure that any kind of URL-hacking (e.g. www.myhost.com/../../etc/passwd) won't be successfull ? ---- After all, if you think jigsaw is secure, then add this to jigsaw's webpages. Good security is everytimes a wanted feature... ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) Roland Mainz C programmer \__\/\/__/ Roland.Mainz@informatik.med.uni-giessen.de MPEG specialist /O /==\ O\ gisburn@w-specht.rhein-ruhr.de Sun&&Amiga programmer (;O/ \/ \O;) TEL +49 (0) 2426901568 FAX +49 (0) 2426901569
Received on Monday, 21 June 1999 13:53:18 UTC