20050930-webScripts

seligman at nevis.columbia.edu seligman at nevis.columbia.edu
Fri Sep 30 07:02:03 EDT 2005


A couple of users have asked about a recent change in the web server's
configuation.

We recently had a security incident where an attacker compromised our
web server due to insufficient security in a user's PHP script.  Our
policy has always been against allowing users to create their own CGI
scripts, but I never fully enforced it on the web server.  This has
been changed, and PHP scripts (along with all other forms of CGI
programming) are no longer allowed from users' web sites.

I've modified the "FAQ" section of the Nevis web-page guide at
<http://www.nevis.columbia.edu/webguide/> to make this policy clear. 

If you have any comments or questions, please contact Bill Seligman --
but after wasting at least five days dealing with the consequences of
the intrusion, don't expect me to change this policy.



More information about the Nevis-linux mailing list