The World Wide Web Security FAQ
DISCLAIMER
This information is provided by Lincoln Stein (lstein@cshl.org). The World Wide Web
Consortium (W3C) hosts this document as a service to the Web Community;
however, it does not endorse its contents. For further information,
please contact Lincoln Stein directly.
Recent versions of the FAQ.
-
- Version 1.9.0, June 30, 1998
- Version 1.8.1, April 16, 1998
- Version 1.8.0, April 13, 1998
- Added information on the <Embed> and recursive frame
bugs in Internet Explorer 4.0-4.01.
- Added information on the bookmarks buffer overrun bugs in
Netscape Communicator
4.0-4.04.
- Updated section on cookies
to discuss the risks of session ID piracy and to give
recommendations to developers on how to avoid this problem.
- Added warnings about a serious hole in the Lynx 2.7.1 browser.
- Added a discussion of creating an organizational security
policy to the discussion of general security precautions
for Web sites.
- Also added some Windows NT specific system audit tools to the
list of general security
precautions.
- Updated mirror sites.
- Version 1.7.0, January 19, 1998
- Version 1.6, 1.6.1, January 16, 1998
- Version 1.5.1, November 6, 1997
- Added the Count.cgi script to the list of buggy CGI scripts.
- Added information about the sbox wrapper for running CGI
scripts in a multihosted environment.
- Minor URL and e-mail address fixes.
- Version 1.5, November 1, 1997
- New sections on accepting site certificates and
CA certificates.
- New information on old log directory configuration bugs in Netscape servers and possibly other commercial
servers as well.
- The Mac has been cracked! See here for details.
- Updated the JavaScript bug section to include the IE 4.0
Freiburg attack.
- Section on HTTP cookies
updated to include information on "cookie cutter" and anonymizing
proxy products.
- Information on the new security features in Netscape 4.0
and IE 4.0 added to several sections in Client Side Security.
- Multiple typographical errors and grammar problems cleaned up.
- Version 1.4.1, September 3, 1997
- Version 1.4.0, July 10, 1997
- Version 1.3.9, June 25, 1997
- Version 1.3.8, June 11, 1997
- Version 1.3.7, May 7, 1997
- Reports of security holes in various CGI scripts,
including FrontPage, Selena Sol's guestbook, and
Mindshare Out Box. See Q34.
- Version 1.3.6, March 29, 1997
- Version 1.3.5, March 21, 1997
- Version 1.3.4
- Version 1.3.3
- Version 1.3.2
- Version 1.3.2
- Information on a new security hole discovered in the
Microsoft IIS server.
- Beefed up the section on ActiveX security risks, now that
true malicious controls (courtesy of the Chaos Computer Club)
have made their appearance.
- Miscellaneous typos and URL fixes.
- Version 1.3.1
- Version 1.3.0
- New section on ActiveX.
- New section on HTTP cookies.
- Brought Java and JavaScript sections more-or-less up to date.
- Brought sections on electronic commerce up to date.
- Added section on log security hole in Macintosh WebSTAR.
- URL and spelling fixes.
- Version 1.2.4
- The Java section has been enlarged in light of new
information.
- Multiple links updated.
- Reports of problems with
util.c
library in
Apache and NCSA httpd have been added to the servers bug
section.
- Bibliography expanded.
- List of mirror sites is rapidly growing.
- Version 1.2.3
- In light of new revelations about security holes in both Java and JavaScript,
this section has been largely rewritten.
- Mirror sites are now listed.
- Added The Risks Digest to the bibliography.
- Version 1.2.2
- Split the FAQ into bite-sized pieces so that people across the
Atlantic can fetch it.
- Moved the Java and JavaScript pieces into
Client-Side Security section (this caused a renumbering of questions
to occur).
- Updated Java and JavaScript to reflect the fact that all known bugs are
fixed in Netscape 2.01.
- Updated section on Microsoft IIS server to reflect the fact that the .BAT file
hole is closed.
- Added results of WebStar challenge to section on Macintosh servers.
- Version 1.2.1
- Properly credited Jennifer Myers as the discoverer of the
NCSA
util.c
hole.
- Version 1.2.0
- Increased coverage of the extremely serious holes
in JavaScript. If you are using Netscape 2.0,
or if anyone in your organization is, read
this.
- Added the Microsoft IIS server
to the list of Windows NT servers
afflicted by the .BAT CGI script hole.
- Coverage of the security hole recently found in the
util.c
CGI library distributed by NCSA httpd
and incorporated into many C-language CGI scripts.
- Version 1.1.9
- Fixed the confusion between Java and JavaScript. Am I the only
one confused by the similarity in names?
- Version 1.1.8
- Version 1.1.7
- The O'Reilly WebSite server has the same hole in .BAT CGI scripts
as the Netscape server, so the specific programs section has been
updated to reflect this fact.
- Updated the SSL section to reflect the SSL patches for the
Apache server.
- Version 1.1.6
- Created a new section on security holes in specific problems
and populated it with two recent reports on Netscape Communication
Server for Windows NT. This section will grow longer;
the emphasis on Netscape is a startup artefact.
- Version 1.1.5
- Fix to the perl code for sending mail safely. Thanks to
William DenBesten for finding this one.
- Version 1.1.4
- Fixed a typo in the example of password protecting a page.
- Version 1.1.3
- Fixed a bug in the Perl regular expression for parsing
Internet e-mail addresses (caught by Enzo Michelangelo).
- Fixed address of Trusted Information Systems FTP
site.
- Version 1.1.2
- Added discussion of IP address restriction suggested by
Paul Phillips.
- Version 1.1.1
- Added the European mirror site at www.Austria.EU.net.
- Version 1.1
Lincoln D. Stein
(lstein@cshl.org)
Last modified: Mon Sep 13 13:51:16 EDT 1999