[E-Lang] defense in depth

Jonathan S. Shapiro shap@cs.jhu.edu
Thu, 25 Jan 2001 14:55:38 -0500

David Wagner wrote:
> I have to admit: Now I'm curious.  Which features of Apache are
> inherently insecure?  Can you give any examples?

The entire notion of CGI scripts as currently formatted. On request from
the system administrator, Apache will gleefully punt responsibility for
security to some other program whose environment is not under the
control of Apache.

Also, module configuration is designed such that the introduction of one
module can alter the environment perceived by a subsequent module, and
the current interface specification practice does not allow the
administrator to fully understand the resulting dependencies.