darwin mc?

andu undo at cloud9.net
Thu Jan 9 05:55:00 EST 2003


--On Thursday, January 09, 2003 10:19:03 +0000 Dave Cragg 
<dcragg at lacscentre.co.uk> wrote:

> At 11:09 am -0500 8/1/03, Richard MacLemale wrote:
>
>> It's the metacard engine for Darwin.  You can slap it into your
>> CGI-EXECUTABLES folder and then write MetaTalk scripts to do cool CGI
>> stuff.
>
> Changing topic slightly...
>
> I've seen a number of recommendations recently to put the mc cgi engine
> in the same folder as the cgi scripts themselves. Is there any possible
> security issue with this?
>
> For example, there are many warnings on the Web not to put the Perl
> engine for Win32 systems in the public cgi-bin directory. The reason is
> that the executable can be called directly from a url reference and a
> script passed as a parameter, allowing all kinds of untold damage to be
> done. I was wondering whether something equally devious was feasible with
> Metacard. While I haven't found a way to expoit this myself, I'd love the
> reassurance that it was perfectly safe approach.

You can't pass commands to mc engine and have it execute them (as with 
perl), only using a script and if the script is not there...
I put the engine in /cgi-bin simply because sometimes I have no access to 
/usr/bin.

>
> Cheers
> Dave
> _______________________________________________
> metacard mailing list
> metacard at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/metacard
>



Regards, Andu Novac



More information about the metacard mailing list