Re: [ROOT] Carrot security?

From: Valeriy Onuchin (Valeri.Onoutchine@cern.ch)
Date: Thu Aug 15 2002 - 13:39:39 MEST


----- Original Message -----
From: "Dubois, Richard" <richard@SLAC.stanford.edu>
To: "Root Discussion (E-mail)" <roottalk@pcroot.cern.ch>
Sent: Thursday, August 15, 2002 8:02 AM
Subject: [ROOT] Carrot security?


> We in GLAST have been testing out the use of Carrot within our software test system - running
automated builds and tests, and tracking them in an Oracle database and Root histogram files. With
the Oracle connection, we can query the database and make plots on the fly; we can also locate
histogram files and display them in the browser at will. All way cool.
>
>  So, now we need to go to the computing center and ask for permission to expose the Carrot plugin
to the world. The security dudes are (perhaps necessarily) anal - there are bad people out there -
and tend to say 'no' to all requests.
>
>  What is known about the security aspects of Carrot? Does it make the Apache webserver more
vulnerable to exploits? If we have to prove to them that Carrot is safe, how do we go about it?
>

Hi Richard, it's interesting question and frankly I do not know the right answer.
In general Carrot is dynamic content handling module similar to other ones, like
    PHP, mod_perl, ASP, ColdFusion, mod_dtcl ... and many others.
There are many articles considering security issues of above mentioned modules which with slight
modifications would be applied to Carrot. For example the google search  gave few interesting ones:
http://www.phpadvisory.com/articles/view.phtml?ID=5
http://httpd.apache.org/docs/misc/security_tips.html
http://www.php.net/manual/en/security.php

Any other ideas how to answer to this question? (it would be good to write tutorial on it)

Thanks. Regards. Valeriy

++
  BTW, recent hack of the carrot site was done through FTP's hole (not Carrot's).



This archive was generated by hypermail 2b29 : Sat Jan 04 2003 - 23:51:04 MET