This information is provided by Lincoln Stein (lstein@cshl.org). The World Wide Web
Consortium (W3C) hosts this document as a service to the Web Community;
however, it does not endorse its contents. For further information,
please contact Lincoln Stein directly.
Changed example of untainting an
e-mail address to be consistent
with Gunther Birznieks' more cautious approach.
Added Matt Wright's TextCounter script to list of CGI scripts with security
holes. Also updated information on the guestbook
script vulnerability in the same section.
Removed the CERN Web server from the list of specific
servers, as it is used at very few sites now.
Version 1.8.1, April 16, 1998
Minor typo and URL fixes
Version 1.8.0, April 13, 1998
Added information on the <Embed> and recursive frame
bugs in Internet Explorer 4.0-4.01.
Added information on the bookmarks buffer overrun bugs in
Netscape Communicator
4.0-4.04.
Updated section on cookies
to discuss the risks of session ID piracy and to give
recommendations to developers on how to avoid this problem.
Added warnings about a serious hole in the Lynx 2.7.1 browser.
Added a discussion of creating an organizational security
policy to the discussion of general security precautions
for Web sites.
Brought Java and JavaScript sections more-or-less up to date.
Brought sections on electronic commerce up to date.
Added section on log security hole in Macintosh WebSTAR.
URL and spelling fixes.
Version 1.2.4
The Java section has been enlarged in light of new
information.
Multiple links updated.
Reports of problems with util.c library in
Apache and NCSA httpd have been added to the servers bug
section.
Bibliography expanded.
List of mirror sites is rapidly growing.
Version 1.2.3
In light of new revelations about security holes in both Java and JavaScript,
this section has been largely rewritten.
Mirror sites are now listed.
Added The Risks Digest to the bibliography.
Version 1.2.2
Split the FAQ into bite-sized pieces so that people across the
Atlantic can fetch it.
Moved the Java and JavaScript pieces into
Client-Side Security section (this caused a renumbering of questions
to occur).
Updated Java and JavaScript to reflect the fact that all known bugs are
fixed in Netscape 2.01.
Updated section on Microsoft IIS server to reflect the fact that the .BAT file
hole is closed.
Added results of WebStar challenge to section on Macintosh servers.
Version 1.2.1
Properly credited Jennifer Myers as the discoverer of the
NCSA util.c hole.
Version 1.2.0
Increased coverage of the extremely serious holes
in JavaScript. If you are using Netscape 2.0,
or if anyone in your organization is, read
this.
Added the Microsoft IIS server
to the list of Windows NT servers
afflicted by the .BAT CGI script hole.
Coverage of the security hole recently found in the
util.c CGI library distributed by NCSA httpd
and incorporated into many C-language CGI scripts.
Version 1.1.9
Fixed the confusion between Java and JavaScript. Am I the only
one confused by the similarity in names?
Version 1.1.8
More updates on the .BAT file CGI hole on several
NT servers, including pointers to O'Reilly's
fix for the problem and Purveyor's immunity to the problem.
The O'Reilly WebSite server has the same hole in .BAT CGI scripts
as the Netscape server, so the specific programs section has been
updated to reflect this fact.
Updated the SSL section to reflect the SSL patches for the
Apache server.
Version 1.1.6
Created a new section on security holes in specific problems
and populated it with two recent reports on Netscape Communication
Server for Windows NT. This section will grow longer;
the emphasis on Netscape is a startup artefact.
Version 1.1.5
Fix to the perl code for sending mail safely. Thanks to
William DenBesten for finding this one.
Version 1.1.4
Fixed a typo in the example of password protecting a page.
Version 1.1.3
Fixed a bug in the Perl regular expression for parsing
Internet e-mail addresses (caught by Enzo Michelangelo).
Fixed address of Trusted Information Systems FTP
site.
Version 1.1.2
Added discussion of IP address restriction suggested by
Paul Phillips.
Version 1.1.1
Added the European mirror site at www.Austria.EU.net.