Re: Securityissue with buffer overflow? from Yves Lafon on 2001-01-03 (www-jigsaw@w3.org from January to February 2001)

From: Yves Lafon <ylafon@w3.org>
Date: Wed, 3 Jan 2001 16:25:26 +0100 (MET)
To: "Manty, George" <George.Manty@compaq.com>
cc: <www-jigsaw@w3.org>
Message-ID: <Pine.GSO.4.31.0101031619470.29340-100000@tarantula.inria.fr>

On Wed, 3 Jan 2001, Manty, George wrote:

> > I read a while ago that there was a security issue with a former version
> > of  CERN httpd.  The problem was regarding a buffer overflow security
> > hole.  I was wondering if Jigsaw has been tested to ensure that the server
> > can not be attacked with a buffer overflow attack.

CERN httpd was written in C, while Jigsaw is in Java, with bound-checking
taken care of by the language.
So it is safer because of the language, but you can have a configuration
that can allow someone to get unwanted information or upload things (if
you enable PUT without adding restriction with credential, preferably
using DigestAuth).

-- 
Yves Lafon - W3C / Jigsaw - XML Protocol - HTTP
"Baroula que barouleras, au tiéu toujou t'entourneras."

Received on Wednesday, 3 January 2001 10:25:35 UTC