UB Computer Science and Engineering logo

Security

Many of the extra capabilities this web server supports allow you to run things on the Web Server itself. These things run as you. This means if you are not careful you can wind up allowing anyone on the Web to do things to your account like remove files (or worse). For each of the extra capabilities listed below, we'll make suggestions to help you avoid security problems. Be careful to follow the suggestions.

There are a few generalities. If shell scripts are involved, it is best to turn off "filename globbing" in the shell. This will prevent remote users from being able to see lists of files. Begin sh scripts with:

  #!/bin/sh -f

For csh or tcsh scripts, use the command set noglob. Be as conservative as possible with file permissions. Where file permissions can be set up to restrict who will be able to see them (e.g. CGI scripts) how to do that will be described below. Also keep in mind when writing scripts that in most cases other people on the Web may be able to point their own Web Pages at your scripts. Your scripts may wind up receiving input from pages that you did not set up so you cannot assume anything about the input your scripts will see.

References

  1. https://en.wikipedia.org/wiki/Web_application_security

This page last modified: Thu, June 21, 2018 19:49:34

Send your comments to: cse-webmaster@buffalo.edu

© 2019 University at Buffalo. All rights reserved. | Privacy | Accessibility