The World Wide Web Security FAQ
Lincoln D. Stein
<lstein@genome.wi.mit.edu>
Version 1.3.9, June 25, 1997
New: Security holes found in Microsoft Internet Information Server 3.0, and
Netscape Navigator 3.01. See What's
New? for details.
Table of Contents
MIRROR SITES FOR THIS DOCUMENT
The master copy of this document can be found at:
http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html
This document is updated every 2 to 4 weeks.
USA Mirrors
Western European Mirrors
Eastern European Mirrors
Asian Mirrors
You may mirror this document by copying and unpacking the following
tar archive:
http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.tar.gz
You should then set up a cron job to check this site at
regular intervals and update your copy. You can use the w3mir program for
this purpose. Please send me e-mail if you set up a mirror site in a
country that isn't already a mirror sponsor so that I may add
you to this list (more Pacific sites needed!).
You can also download this entire document as a ZIP archive:
http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.zip
- Introduction
- What's New?
- General Questions
- Q1 What's to worry about?
- Q2 Exactly what security risks are we talking about?
- Q3 Are some Web servers and operating systems
more secure than others?
- Q4 Are some Web server software programs more
secure than others?
- Q5 Are CGI scripts insecure?
- Q6 Are server-side includes insecure?
- Q7 What general security precautions should I take?
- Q8 Where can I learn more about network security?
- Running a Secure Server
- Q9 How do I set the file permissions of my server
and document roots?
- Q10 I'm running a server that provides a whole
bunch of optional features. Are any of them security risks?
- Q11 I heard that running the server as "root"
is a bad idea. Is this true?
- Q12 I want to share the same document tree between my
ftp and Web servers. Is there any problem with this idea?
- Q13 Can I make my site completely safe by running
the server in a "chroot" environment?
- Q14 My local network runs behind a firewall. How can I
use it to increase my Web site's security?
- Q15 My local network runs behind a firewall. How can
I get around it to give the rest of the world access to the
Web server?
- Q16 How can I detect if my site's been broken into?
- Protecting Confidential Documents at Your Site
- Q17 What types of access restrictions are
available?
- Q18 How safe is restriction by IP address or domain name?
- Q19 How safe is restriction by user name and password?
- Q20 What is user verification?
- Q21 How do I restrict access to documents by the
IP address or domain name of the remote browser?
- Q22 How do I add new users and passwords?
- Q23 Isn't there a CGI script to allow users to
change their passwords online?
- Q24 Using
.htaccess
to control
access in individual directories is so convenient, why
should I use access.conf
?
- Q25 How does encryption work?
- Q26 What are: SSL, SHTTP, Shen?
- Q27 Are there any "freeware" secure servers?
- Q28 How do I accept credit card orders over the Web?
- Q29 What are: First Virtual Accounts, DigiCash,
Cybercash?
- CGI Scripts
- Q30 What's the problem with CGI scripts?
- Q31 Is it better to store scripts in the cgi-bin
directory or to identify them using the .cgi extension?
- Q32 Are compiled languages such as C safer than
interpreted languages like Perl and shell scripts?
- Q33 I found a great CGI script on the Web and I
want to install it. How can I tell if it's safe?
- Q34 What CGI scripts are known to contain security
holes?
- Q35 I'm developing custom CGI scripts. What unsafe
practices should I avoid?
- Q36 But if I avoid eval(), exec(), popen() and system(),
how can I create an interface to my database/search engine/graphics
package?
- Q37 Is it safe to rely on the PATH environment variable
to locate external programs?
- Q38 I hear there's a package called cgiwrap that makes
CGI scripts safe?
- Q39 People can only use scripts if they're accessed from
a form that lives on my local system, right?
- Q40 Can people see or change the values in "hidden"
form variables?
- Q41 Is using the "POST" method for submitting forms
more private than "GET"?
- Q42 Where can I learn more about safe CGI scripting?
- Safe Scripting in Perl
- Q43 How do I avoid passing user variables through
a shell when calling exec() and system()?
- Q44 What are Perl taint checks? How do I turn
them on?
- Q45 OK, I turned on taint checks like you said. Now
my script dies with the message: "Insecure path at line XX"
every time I try to run it!
- Q46 How do I "untaint" a variable?
- Q47 I'm removing shell metacharacters from the
variable, but Perl still thinks it's tainted!
- Q48 Is it true that the pattern matching operation
$foo=~/$user_variable/ is unsafe?
- Q49 My CGI script needs more privileges than it's
getting as user "nobody". How do I run a Perl script as suid?
- Server Logs and Privacy
- Q50 What information do readers reveal that
they might want to keep private?
- Q51 Do I need to respect my readers' privacy?
- Q52 How do I avoid collecting too much information?
- Q53 How do I protect my readers' privacy?
- Client Side Security
- Q54 Someone suggested I configure /bin/csh as a viewer for
documents of type application/x-csh. Is this a good idea?
- Q55 Is there anything else I should
keep in mind regarding external viewers?
- Q56 How do I turn off the "You are submitting
the contents of a form insecurely" message in Netscape? Should I
worry about it?
- Q57 How secure is the encryption used by SSL?
- Q58 My Netscape browser is displaying a form
for ordering merchandise from a department store that I trust. The
little key at the lower left-hand corner of the Netscape window is
solid and has two teeth. This means I can safely submit my credit
card number, right?
- Q59 How private are my requests for Web documents?
- Q60 What's the difference between Java and JavaScript?
- Q61 Are there any known security holes in Java?
- Q62 Are there any known security holes in JavaScript?
- Q63 What is ActiveX? Does it pose any risks?
- Q64 Do "Cookies" Pose any Security Risks?
- Q65 Can your web browser reveal your LAN login name and password?
- Q66 Are there any known problems in Microsoft Internet Explorer?
- Specific Servers
- Windows NT Servers
- Q67 Are there any known problems with the Netscape Servers?
- Q68 Are there any known problems with the WebSite Server?
- Q69 Are there any known problems with Purveyor?
- Q70 Are there any known problems with Microsoft IIS?
- Unix Servers
- Q71 Are there any known problems with NCSA httpd?
- Q72 Are there any known problems with CERN httpd?
- Q73 Are there any known problems with Apache httpd?
- Q74 Are there any known problems with the Netscape Servers?
- Q75 Are there any known problems with the IBM ICSS Server?
- Q76 Are there any known problems with the WN Server?
- Macintosh Servers
- Q77 Are there any known problems with WebStar?
- Q78 Are there any known problems with MacHTTP?
- Q79 Are there any known problems with Quid Pro Quo?
- Other Servers
- Q80 Are there any known problems with Novell WebServer?
- Bibliography
Lincoln
D. Stein
Whitehead Institute for
Biomedical Research
Last modified: Wed Jun 25 17:58:30 EDT 1997