The World Wide Web Security FAQ

	Up to Table of Contents
Backward to Introduction		Forward to General Questions

2. What's New?

• • Added information on frame hijacking.
  • More client-side JavaScript exploits, as per usual.
  • Updated sections on CGI script bugs to include newly discovered vulnerabilities in HotMail and the Excite Web Search engine.
  • New section on e-mail exploits.
  • Updated section on CGI wrapper scripts.
  • Added pointers to digital watermarking technologies.
  • Rewrote text on relative operating system security to better reflect real world needs.
  • Improved the description of safe exec() calls in Perl.
  • Improved the e-mail pattern match in the description of variable untainting in Perl.
• Version 1.9.0, June 30, 1998
  • Information on a newly-discovered vulnerability in O'Reilly WebSite Pro, Netscape Enterprise Server for Windows NT, Sun's JavaWebServer, and Process Software's Purveyor. This bug allows the source code for server-side include pages and Java Servlets to be viewed by remote users.
  • Information on vulnerabilities in the MetaInfo MetaWeb server.
  • Added reference to the CGI/Perl Taint Mode FAQ in the discussion of Perl taint checks.
  • Changed example of untainting an e-mail address to be consistent with Gunther Birznieks' more cautious approach.
  • Added Matt Wright's TextCounter script to list of CGI scripts with security holes. Also updated information on the guestbook script vulnerability in the same section.
  • Removed the CERN Web server from the list of specific servers, as it is used at very few sites now.
• Version 1.8.1, April 16, 1998
  • Minor typo and URL fixes
• Version 1.8.0, April 13, 1998
  • Added information on the <Embed> and recursive frame bugs in Internet Explorer 4.0-4.01.
  • Added information on the bookmarks buffer overrun bugs in Netscape Communicator 4.0-4.04.
  • Updated section on cookies to discuss the risks of session ID piracy and to give recommendations to developers on how to avoid this problem.
  • Added warnings about a serious hole in the Lynx 2.7.1 browser.
  • Added a discussion of creating an organizational security policy to the discussion of general security precautions for Web sites.
  • Also added some Windows NT specific system audit tools to the list of general security precautions.
  • Updated mirror sites.
• Version 1.7.0, January 19, 1998
  • Added information on a security hole recently found in the Excite Web Search Engine.
• Version 1.6, 1.6.1, January 16, 1998
  • Information on a severe new security hole in Microsoft Internet Explorer browser (4.0, 4.01)
  • Information on new security holes in the Microsoft Internet Information Server and Personal Web Server, version 4.0
  • Information on new security holes in the Netscape Enterprise (3.0) and FastTrack (3.01) Servers.
  • Information on new security holes in the Apache Web server through 1.2.4.
  • Old, but previously unreported, holes in the IBM Internet Connection Secure Server.
  • WebPass, a new remote password changing script.
• Version 1.5.1, November 6, 1997
  • Added the Count.cgi script to the list of buggy CGI scripts.
  • Added information about the sbox wrapper for running CGI scripts in a multihosted environment.
  • Minor URL and e-mail address fixes.
• Version 1.5, November 1, 1997
  • New sections on accepting site certificates and CA certificates.
  • New information on old log directory configuration bugs in Netscape servers and possibly other commercial servers as well.
  • The Mac has been cracked! See here for details.
  • Updated the JavaScript bug section to include the IE 4.0 Freiburg attack.
  • Section on HTTP cookies updated to include information on "cookie cutter" and anonymizing proxy products.
  • Information on the new security features in Netscape 4.0 and IE 4.0 added to several sections in Client Side Security.
  • Multiple typographical errors and grammar problems cleaned up.
• Version 1.4.1, September 3, 1997
  • New home for the FAQ at W3 Consortium.
  • Complete facelift to match "W3C style".
  • New section on using personal (client) certificates for site access control
  • Rewritten introductory material.
  • Updated information on Netscape JavaScript bugs.
• Version 1.4.0, July 10, 1997
  • Two new security holes in JavaScript-enabled browsers.
• Version 1.3.9, June 25, 1997
  • Information on the Microsoft IIS denial of service attack
  • Information on the File upload hole in Netscape Navigator 2.0, 3.0, 3.01 and Communicator 4.0
  • Typographical errors fixed.
• Version 1.3.8, June 11, 1997
  • Information on the PHP and file.pl CGI holes.
  • A new section on vulnerabilities in the Novell WebServer.
  • Lots of typo and spelling fixes provided by Paul DuBois <[email protected]>).
  • New information on Macintosh Quid Pro Quo server log file problems.
• Version 1.3.7, May 7, 1997
  • Reports of security holes in various CGI scripts, including FrontPage, Selena Sol's guestbook, and Mindshare Out Box. See Q34.
• Version 1.3.6, March 29, 1997
  • More problems with Internet Explorer.
• Version 1.3.5, March 21, 1997
  • Information about the ability of Netscape Navigator and IE to reveal user's network login names and passwords.
• Version 1.3.4
  • Information about a security hole in the nph-publish CGI script.
  • More information about the I.E. security hole.
• Version 1.3.3
  • Added information about bytecode verifier security hole in Java.
• Version 1.3.2
  • Huge security hole in Internet Explorer 3.01.
• Version 1.3.2
  • Information on a new security hole discovered in the Microsoft IIS server.
  • Beefed up the section on ActiveX security risks, now that true malicious controls (courtesy of the Chaos Computer Club) have made their appearance.
  • Miscellaneous typos and URL fixes.
• Version 1.3.1
  • Information on two newly-discovered security holes in the Apache Web server.
  • Information on a recently-released CGI-based password changing program.
  • Entire FAQ is now available as a ZIP file.
• Version 1.3.0
  • New section on ActiveX.
  • New section on HTTP cookies.
  • Brought Java and JavaScript sections more-or-less up to date.
  • Brought sections on electronic commerce up to date.
  • Added section on log security hole in Macintosh WebSTAR.
  • URL and spelling fixes.
• Version 1.2.4
  • The Java section has been enlarged in light of new information.
  • Multiple links updated.
  • Reports of problems with util.c library in Apache and NCSA httpd have been added to the servers bug section.
  • Bibliography expanded.
  • List of mirror sites is rapidly growing.
• Version 1.2.3
  • In light of new revelations about security holes in both Java and JavaScript, this section has been largely rewritten.
  • Mirror sites are now listed.
  • Added The Risks Digest to the bibliography.
• Version 1.2.2
  • Split the FAQ into bite-sized pieces so that people across the Atlantic can fetch it.
  • Moved the Java and JavaScript pieces into Client-Side Security section (this caused a renumbering of questions to occur).
  • Updated Java and JavaScript to reflect the fact that all known bugs are fixed in Netscape 2.01.
  • Updated section on Microsoft IIS server to reflect the fact that the .BAT file hole is closed.
  • Added results of WebStar challenge to section on Macintosh servers.
• Version 1.2.1
  • Properly credited Jennifer Myers as the discoverer of the NCSA util.c hole.
• Version 1.2.0
  • Increased coverage of the extremely serious holes in JavaScript. If you are using Netscape 2.0, or if anyone in your organization is, read this.
  • Added the Microsoft IIS server to the list of Windows NT servers afflicted by the .BAT CGI script hole.
  • Coverage of the security hole recently found in the util.c CGI library distributed by NCSA httpd and incorporated into many C-language CGI scripts.
• Version 1.1.9
  • Fixed the confusion between Java and JavaScript. Am I the only one confused by the similarity in names?
• Version 1.1.8
  • More updates on the .BAT file CGI hole on several NT servers, including pointers to O'Reilly's fix for the problem and Purveyor's immunity to the problem.
  • Entirely new section on Java.
• Version 1.1.7
  • The O'Reilly WebSite server has the same hole in .BAT CGI scripts as the Netscape server, so the specific programs section has been updated to reflect this fact.
  • Updated the SSL section to reflect the SSL patches for the Apache server.
• Version 1.1.6
  • Created a new section on security holes in specific problems and populated it with two recent reports on Netscape Communication Server for Windows NT. This section will grow longer; the emphasis on Netscape is a startup artefact.
• Version 1.1.5
  • Fix to the perl code for sending mail safely. Thanks to William DenBesten for finding this one.
• Version 1.1.4
  • Fixed a typo in the example of password protecting a page.
• Version 1.1.3
  • Fixed a bug in the Perl regular expression for parsing Internet e-mail addresses (caught by Enzo Michelangelo).
  • Fixed address of Trusted Information Systems FTP site.
• Version 1.1.2
  • Added discussion of IP address restriction suggested by Paul Phillips.
• Version 1.1.1
  • Added the European mirror site at www.Austria.EU.net.
• Version 1.1
  • Beefed up the client side security section using material graciously provided by Laura Pearlman.
  • Fixed a number of incorrect URLs, including the address of Safe Perl.
  • Added information about the Microsoft Word "prank macro" (thanks to Neal McBurnett).

	Up to Table of Contents
Backward to Introduction		Forward to General Questions

Last modified: Sun Dec 20 15:26:51 MET 1998