[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 980330: netCDFPerl and CGI security

Hi Leonard,

> To: address@hidden
> From: Leonard Sitongia <address@hidden>
> Subject: netCDFPerl and CGI security
> Organization: UCAR/NCAR/HAO
> Keywords: 199803302218.PAA06829

In the above message, you wrote:

> As user here is about to start using netCDFPerl from CGI scripts under
> the HAO web server.
> 
> I'm concerned about security and the server.  Has netCDFPerl been
> inspected for security risks?  What state is it in with regard to this?
> 
> thanks,
> - --Leonard
> 
> - --Leonard E. Sitongia           Computer System Management Team (CSMT)
> address@hidden          voice: (303)497-1509   fax: (303)497-1589
> High Altitude Observatory       P.O. Box 3000 Boulder CO 80307  USA

NetCDFPerl hasn't been inspected for security risks.  Note, however,
that the netCDF C library hasn't been inspected for security risks
either.  Since NetCDFPerl is, basically, a library that is used by
perl programs, it is difficult to see what security risks it, itself,
imposes.  I can certainly say that NetCDFPerl makes no attempt -- of
and by itself -- to circumvent the security provided by the operating
system.  It is still possible, however, for a user to try and use
NetCDFPerl to read a netCDF dataset that they shouldn't and, if the
protection on the dataset is insufficient, to actually read the data.
This, however, is no more a risk than the dataset was already in due to
it's lack of protection.

Did you have anything in particular in mind?

--------
Steve Emmerson   <http://www.unidata.ucar.edu>