The World Wide Web Security FAQ

New: Security holes found in Microsoft Internet Information Server 3.0, and Netscape Navigator 3.01. See What's New? for details.

Table of Contents

MIRROR SITES FOR THIS DOCUMENT

http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html

USA Mirrors

• http://www.netdynamics.com/ftp/pub/community/www-security-faq/
• ftp://www.netdynamics.com/pub/community/www-security-faq/www-security-faq.tar.gz
• http://perl.guru.org/faqs/www-security-faq.html
• http://www.cs.pitt.edu/~tomsic/www-security/
• http://home.eznet.net/~akill/wwwsecfaq/www-security-faq.html

Western European Mirrors

• http://nswt.tuwien.ac.at:8000/www-security-faq/
• http://cip.physik.uni-wuerzburg.de/www-security/
• http://www3.uniovi.es/~rivero/mirror/www-security-faq/
• http://www.ntua.gr/WWW/www-security-faq/
• ftp://ftp.ntua.gr/pub/www/FAQ/www-security-faq.tar.gz
• http://www.sensible.it/www-security/
• http://www.poli.studenti.to.it/info/www-security/www-security-faq.html
• http://www.man.ac.uk/~mbzalgd/www-security/

Eastern European Mirrors

• http://oliver.efri.hr/~crv/security/w3/www-security-faq.html
• http://sunsite.srce.hr/mirror/www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html
• http://www.sarc.sk/~www/www-security-faq/
• http://www.ilya.ibm.lv/security/www-security-faq.html

Asian Mirrors

• http://www-ph.postech.ac.kr/~bsjung/admin/www-security
• http://db.csie.ncu.edu.tw/WWWClub/WWWsecurity/www-security-faq.html

http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.tar.gz

You can also download this entire document as a ZIP archive:

http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.zip

CONTENTS

1. Introduction
2. What's New?
3. General Questions
   • Q1 What's to worry about?
   • Q2 Exactly what security risks are we talking about?
   • Q3 Are some Web servers and operating systems more secure than others?
   • Q4 Are some Web server software programs more secure than others?
   • Q5 Are CGI scripts insecure?
   • Q6 Are server-side includes insecure?
   • Q7 What general security precautions should I take?
   • Q8 Where can I learn more about network security?
4. Running a Secure Server
   • Q9 How do I set the file permissions of my server and document roots?
   • Q10 I'm running a server that provides a whole bunch of optional features. Are any of them security risks?
   • Q11 I heard that running the server as "root" is a bad idea. Is this true?
   • Q12 I want to share the same document tree between my ftp and Web servers. Is there any problem with this idea?
   • Q13 Can I make my site completely safe by running the server in a "chroot" environment?
   • Q14 My local network runs behind a firewall. How can I use it to increase my Web site's security?
   • Q15 My local network runs behind a firewall. How can I get around it to give the rest of the world access to the Web server?
   • Q16 How can I detect if my site's been broken into?
5. Protecting Confidential Documents at Your Site
   • Q17 What types of access restrictions are available?
   • Q18 How safe is restriction by IP address or domain name?
   • Q19 How safe is restriction by user name and password?
   • Q20 What is user verification?
   • Q21 How do I restrict access to documents by the IP address or domain name of the remote browser?
   • Q22 How do I add new users and passwords?
   • Q23 Isn't there a CGI script to allow users to change their passwords online?
   • Q24 Using .htaccess to control access in individual directories is so convenient, why should I use access.conf?
   • Q25 How does encryption work?
   • Q26 What are: SSL, SHTTP, Shen?
   • Q27 Are there any "freeware" secure servers?
   • Q28 How do I accept credit card orders over the Web?
   • Q29 What are: First Virtual Accounts, DigiCash, Cybercash?
6. CGI Scripts
   • Q30 What's the problem with CGI scripts?
   • Q31 Is it better to store scripts in the cgi-bin directory or to identify them using the .cgi extension?
   • Q32 Are compiled languages such as C safer than interpreted languages like Perl and shell scripts?
   • Q33 I found a great CGI script on the Web and I want to install it. How can I tell if it's safe?
   • Q34 What CGI scripts are known to contain security holes?
   • Q35 I'm developing custom CGI scripts. What unsafe practices should I avoid?
   • Q36 But if I avoid eval(), exec(), popen() and system(), how can I create an interface to my database/search engine/graphics package?
   • Q37 Is it safe to rely on the PATH environment variable to locate external programs?
   • Q38 I hear there's a package called cgiwrap that makes CGI scripts safe?
   • Q39 People can only use scripts if they're accessed from a form that lives on my local system, right?
   • Q40 Can people see or change the values in "hidden" form variables?
   • Q41 Is using the "POST" method for submitting forms more private than "GET"?
   • Q42 Where can I learn more about safe CGI scripting?
7. Safe Scripting in Perl
   • Q43 How do I avoid passing user variables through a shell when calling exec() and system()?
   • Q44 What are Perl taint checks? How do I turn them on?
   • Q45 OK, I turned on taint checks like you said. Now my script dies with the message: "Insecure path at line XX" every time I try to run it!
   • Q46 How do I "untaint" a variable?
   • Q47 I'm removing shell metacharacters from the variable, but Perl still thinks it's tainted!
   • Q48 Is it true that the pattern matching operation $foo=~/$user_variable/ is unsafe?
   • Q49 My CGI script needs more privileges than it's getting as user "nobody". How do I run a Perl script as suid?
8. Server Logs and Privacy
   • Q50 What information do readers reveal that they might want to keep private?
   • Q51 Do I need to respect my readers' privacy?
   • Q52 How do I avoid collecting too much information?
   • Q53 How do I protect my readers' privacy?
9. Client Side Security
   • Q54 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-csh. Is this a good idea?
   • Q55 Is there anything else I should keep in mind regarding external viewers?
   • Q56 How do I turn off the "You are submitting the contents of a form insecurely" message in Netscape? Should I worry about it?
   • Q57 How secure is the encryption used by SSL?
   • Q58 My Netscape browser is displaying a form for ordering merchandise from a department store that I trust. The little key at the lower left-hand corner of the Netscape window is solid and has two teeth. This means I can safely submit my credit card number, right?
   • Q59 How private are my requests for Web documents?
   • Q60 What's the difference between Java and JavaScript?
   • Q61 Are there any known security holes in Java?
   • Q62 Are there any known security holes in JavaScript?
   • Q63 What is ActiveX? Does it pose any risks?
   • Q64 Do "Cookies" Pose any Security Risks?
   • Q65 Can your web browser reveal your LAN login name and password?
   • Q66 Are there any known problems in Microsoft Internet Explorer?
10. Specific Servers
    • Windows NT Servers
      • Q67 Are there any known problems with the Netscape Servers?
      • Q68 Are there any known problems with the WebSite Server?
      • Q69 Are there any known problems with Purveyor?
      • Q70 Are there any known problems with Microsoft IIS?
    • Unix Servers
      • Q71 Are there any known problems with NCSA httpd?
      • Q72 Are there any known problems with CERN httpd?
      • Q73 Are there any known problems with Apache httpd?
      • Q74 Are there any known problems with the Netscape Servers?
      • Q75 Are there any known problems with the IBM ICSS Server?
      • Q76 Are there any known problems with the WN Server?
    • Macintosh Servers
      • Q77 Are there any known problems with WebStar?
      • Q78 Are there any known problems with MacHTTP?
      • Q79 Are there any known problems with Quid Pro Quo?
    • Other Servers
      • Q80 Are there any known problems with Novell WebServer?
11. Bibliography