The World Wide Web Security FAQ

DISCLAIMER

This information is provided by Lincoln Stein (lstein@cshl.org). The World Wide Web Consortium (W3C) hosts this document as a service to the Web Community; however, it does not endorse its contents. For further information, please contact Lincoln Stein directly.

Up to Table of Contents

Backward to Introduction
Forward to General Questions

2. What's New?

Recent versions of the FAQ.

Version 2.0.1, March 24, 2000
- Updated information on Netscape Enterprise Server vulnerabilities
- Added section on Denial of Service Attacks provided by Marc Myers.
- Updated section on CyberCash, SET, and Open Market.
Version 2.0.0, September 13, 1999
- Added information on frame hijacking.
- More client-side JavaScript exploits, as per usual.
- Updated sections on CGI script bugs to include newly discovered vulnerabilities in HotMail and the Excite Web Search engine.
- New section on e-mail exploits.
- Updated section on CGI wrapper scripts.
- Added pointers to digital watermarking technologies.
- Rewrote text on relative operating system security to better reflect real world needs.
- Improved the description of safe exec() calls in Perl.
- Improved the e-mail pattern match in the description of variable untainting in Perl.
Version 1.9.0, June 30, 1998
- Information on a newly-discovered vulnerability in O'Reilly WebSite Pro, Netscape Enterprise Server for Windows NT, Sun's JavaWebServer, and Process Software's Purveyor. This bug allows the source code for server-side include pages and Java Servlets to be viewed by remote users.
- Information on vulnerabilities in the MetaInfo MetaWeb server.
- Added reference to the CGI/Perl Taint Mode FAQ in the discussion of Perl taint checks.
- Changed example of untainting an e-mail address to be consistent with Gunther Birznieks' more cautious approach.
- Added Matt Wright's TextCounter script to list of CGI scripts with security holes. Also updated information on the guestbook script vulnerability in the same section.
- Removed the CERN Web server from the list of specific servers, as it is used at very few sites now.
Version 1.8.1, April 16, 1998
- Minor typo and URL fixes
Version 1.8.0, April 13, 1998
- Added information on the <Embed> and recursive frame bugs in Internet Explorer 4.0-4.01.
- Added information on the bookmarks buffer overrun bugs in Netscape Communicator 4.0-4.04.
- Updated section on cookies to discuss the risks of session ID piracy and to give recommendations to developers on how to avoid this problem.
- Added warnings about a serious hole in the Lynx 2.7.1 browser.
- Added a discussion of creating an organizational security policy to the discussion of general security precautions for Web sites.
- Also added some Windows NT specific system audit tools to the list of general security precautions.
- Updated mirror sites.
Version 1.7.0, January 19, 1998
- Added information on a security hole recently found in the Excite Web Search Engine.
Version 1.6, 1.6.1, January 16, 1998
- Information on a severe new security hole in Microsoft Internet Explorer browser (4.0, 4.01)
- Information on new security holes in the Microsoft Internet Information Server and Personal Web Server, version 4.0
- Information on new security holes in the Netscape Enterprise (3.0) and FastTrack (3.01) Servers.
- Information on new security holes in the Apache Web server through 1.2.4.
- Old, but previously unreported, holes in the IBM Internet Connection Secure Server.
- WebPass, a new remote password changing script.
Version 1.5.1, November 6, 1997
- Added the Count.cgi script to the list of buggy CGI scripts.
- Added information about the sbox wrapper for running CGI scripts in a multihosted environment.
- Minor URL and e-mail address fixes.
Version 1.5, November 1, 1997
- New sections on accepting site certificates and CA certificates.
- New information on old log directory configuration bugs in Netscape servers and possibly other commercial servers as well.
- The Mac has been cracked! See here for details.
- Updated the JavaScript bug section to include the IE 4.0 Freiburg attack.
- Section on HTTP cookies updated to include information on "cookie cutter" and anonymizing proxy products.
- Information on the new security features in Netscape 4.0 and IE 4.0 added to several sections in Client Side Security.
- Multiple typographical errors and grammar problems cleaned up.
Version 1.4.1, September 3, 1997
- New home for the FAQ at W3 Consortium.
- Complete facelift to match "W3C style".
- New section on using personal (client) certificates for site access control
- Rewritten introductory material.
- Updated information on Netscape JavaScript bugs.
Version 1.4.0, July 10, 1997
- Two new security holes in JavaScript-enabled browsers.
Version 1.3.9, June 25, 1997
- Information on the Microsoft IIS denial of service attack
- Information on the File upload hole in Netscape Navigator 2.0, 3.0, 3.01 and Communicator 4.0
- Typographical errors fixed.
Version 1.3.8, June 11, 1997
- Information on the PHP and file.pl CGI holes.
- A new section on vulnerabilities in the Novell WebServer.
- Lots of typo and spelling fixes provided by Paul DuBois <dubois@primate.wisc.edu>).
- New information on Macintosh Quid Pro Quo server log file problems.
Version 1.3.7, May 7, 1997
- Reports of security holes in various CGI scripts, including FrontPage, Selena Sol's guestbook, and Mindshare Out Box. See Q34.
Version 1.3.6, March 29, 1997
- More problems with Internet Explorer.
Version 1.3.5, March 21, 1997
- Information about the ability of Netscape Navigator and IE to reveal user's network login names and passwords.
Version 1.3.4
- Information about a security hole in the nph-publish CGI script.
- More information about the I.E. security hole.
Version 1.3.3
- Added information about bytecode verifier security hole in Java.
Version 1.3.2
- Huge security hole in Internet Explorer 3.01.
Version 1.3.2
- Information on a new security hole discovered in the Microsoft IIS server.
- Beefed up the section on ActiveX security risks, now that true malicious controls (courtesy of the Chaos Computer Club) have made their appearance.
- Miscellaneous typos and URL fixes.
Version 1.3.1
- Information on two newly-discovered security holes in the Apache Web server.
- Information on a recently-released CGI-based password changing program.
- Entire FAQ is now available as a ZIP file.
Version 1.3.0
- New section on ActiveX.
- New section on HTTP cookies.
- Brought Java and JavaScript sections more-or-less up to date.
- Brought sections on electronic commerce up to date.
- Added section on log security hole in Macintosh WebSTAR.
- URL and spelling fixes.
Version 1.2.4
- The Java section has been enlarged in light of new information.
- Multiple links updated.
- Reports of problems with util.c library in Apache and NCSA httpd have been added to the servers bug section.
- Bibliography expanded.
- List of mirror sites is rapidly growing.
Version 1.2.3
- In light of new revelations about security holes in both Java and JavaScript, this section has been largely rewritten.
- Mirror sites are now listed.
- Added The Risks Digest to the bibliography.
Version 1.2.2
- Split the FAQ into bite-sized pieces so that people across the Atlantic can fetch it.
- Moved the Java and JavaScript pieces into Client-Side Security section (this caused a renumbering of questions to occur).
- Updated Java and JavaScript to reflect the fact that all known bugs are fixed in Netscape 2.01.
- Updated section on Microsoft IIS server to reflect the fact that the .BAT file hole is closed.
- Added results of WebStar challenge to section on Macintosh servers.
Version 1.2.1
- Properly credited Jennifer Myers as the discoverer of the NCSA util.c hole.
Version 1.2.0
- Increased coverage of the extremely serious holes in JavaScript. If you are using Netscape 2.0, or if anyone in your organization is, read this.
- Added the Microsoft IIS server to the list of Windows NT servers afflicted by the .BAT CGI script hole.
- Coverage of the security hole recently found in the util.c CGI library distributed by NCSA httpd and incorporated into many C-language CGI scripts.
Version 1.1.9
- Fixed the confusion between Java and JavaScript. Am I the only one confused by the similarity in names?
Version 1.1.8
- More updates on the .BAT file CGI hole on several NT servers, including pointers to O'Reilly's fix for the problem and Purveyor's immunity to the problem.
- Entirely new section on Java.
Version 1.1.7
- The O'Reilly WebSite server has the same hole in .BAT CGI scripts as the Netscape server, so the specific programs section has been updated to reflect this fact.
- Updated the SSL section to reflect the SSL patches for the Apache server.
Version 1.1.6
- Created a new section on security holes in specific problems and populated it with two recent reports on Netscape Communication Server for Windows NT. This section will grow longer; the emphasis on Netscape is a startup artefact.
Version 1.1.5
- Fix to the perl code for sending mail safely. Thanks to William DenBesten for finding this one.
Version 1.1.4
- Fixed a typo in the example of password protecting a page.
Version 1.1.3
- Fixed a bug in the Perl regular expression for parsing Internet e-mail addresses (caught by Enzo Michelangelo).
- Fixed address of Trusted Information Systems FTP site.
Version 1.1.2
- Added discussion of IP address restriction suggested by Paul Phillips.
Version 1.1.1
- Added the European mirror site at www.Austria.EU.net.
Version 1.1
- Beefed up the client side security section using material graciously provided by Laura Pearlman.
- Fixed a number of incorrect URLs, including the address of Safe Perl.
- Added information about the Microsoft Word "prank macro" (thanks to Neal McBurnett).

	Up to Table of Contents
Backward to Introduction		Forward to General Questions

Lincoln D. Stein (lstein@cshl.org)

Last modified: Sun Apr 2 20:03:39 EDT 2000