The World Wide Web Security FAQ - What's New?

Published: Oct 16, 2002
Updated: Oct 16, 2002
Section: Network Security Library :: Web Security :: The World Wide Web Security FAQ
Author:
Printable Version
Adjust font size:
Rating: 3/5 - 2 Votes

Version 2.0.1, March 24, 2000
- Updated information on Netscape Enterprise Server vulnerabilities
- Added section on Denial of Service Attacks provided by Marc Myers.
- Updated section on CyberCash, SET, and Open Market.
Version 2.0.0, September 13, 1999
- Added information on frame hijacking.
- More client-side JavaScript exploits, as per usual.
- Updated sections on CGI script bugs to include newly discovered vulnerabilities in HotMail and the Excite Web Search engine.
- New section on e-mail exploits.
- Updated section on CGI wrapper scripts.
- Added pointers to digital watermarking technologies.
- Rewrote text on relative operating system security to better reflect real world needs.
- Improved the description of safe exec() calls in Perl.
- Improved the e-mail pattern match in the description of variable untainting in Perl.
Version 1.9.0, June 30, 1998
- Information on a newly-discovered vulnerability in O'Reilly WebSite Pro, Netscape Enterprise Server for Windows NT, Sun's JavaWebServer, and Process Software's Purveyor. This bug allows the source code for server-side include pages and Java Servlets to be viewed by remote users.
- Information on vulnerabilities in the MetaInfo MetaWeb server.
- Added reference to the CGI/Perl Taint Mode FAQ in the discussion of Perl taint checks.
- Changed example of untainting an e-mail address to be consistent with Gunther Birznieks' more cautious approach.
- Added Matt Wright's TextCounter script to list of CGI scripts with security holes. Also updated information on the guestbook script vulnerability in the same section.
- Removed the CERN Web server from the list of specific servers, as it is used at very few sites now.
Version 1.8.1, April 16, 1998
- Minor typo and URL fixes
Version 1.8.0, April 13, 1998
- Added information on the <Embed> and recursive frame bugs in Internet Explorer 4.0-4.01.
- Added information on the bookmarks buffer overrun bugs in Netscape Communicator 4.0-4.04.
- Updated section on cookies to discuss the risks of session ID piracy and to give recommendations to developers on how to avoid this problem.
- Added warnings about a serious hole in the Lynx 2.7.1 browser.
- Added a discussion of creating an organizational security policy to the discussion of general security precautions for Web sites.
- Also added some Windows NT specific system audit tools to the list of general security precautions.
- Updated mirror sites.
Version 1.7.0, January 19, 1998
- Added information on a security hole recently found in the Excite Web Search Engine.
Version 1.6, 1.6.1, January 16, 1998
- Information on a severe new security hole in Microsoft Internet Explorer browser (4.0, 4.01)
- Information on new security holes in the Microsoft Internet Information Server and Personal Web Server, version 4.0
- Information on new security holes in the Netscape Enterprise (3.0) and FastTrack (3.01) Servers.
- Information on new security holes in the Apache Web server through 1.2.4.
- Old, but previously unreported, holes in the IBM Internet Connection Secure Server.
- WebPass, a new remote password changing script.
Version 1.5.1, November 6, 1997
- Added the Count.cgi script to the list of buggy CGI scripts.
- Added information about the sbox wrapper for running CGI scripts in a multihosted environment.
- Minor URL and e-mail address fixes.
Version 1.5, November 1, 1997
- New sections on accepting site certificates and CA certificates.
- New information on old log directory configuration bugs in Netscape servers and possibly other commercial servers as well.
- The Mac has been cracked! See here for details.
- Updated the JavaScript bug section to include the IE 4.0 Freiburg attack.
- Section on HTTP cookies updated to include information on "cookie cutter" and anonymizing proxy products.
- Information on the new security features in Netscape 4.0 and IE 4.0 added to several sections in Client Side Security.
- Multiple typographical errors and grammar problems cleaned up.
Version 1.4.1, September 3, 1997
- New home for the FAQ at W3 Consortium.
- Complete facelift to match "W3C style".
- New section on using personal (client) certificates for site access control
- Rewritten introductory material.
- Updated information on Netscape JavaScript bugs.
Version 1.4.0, July 10, 1997
- Two new security holes in JavaScript-enabled browsers.
Version 1.3.9, June 25, 1997
- Information on the Microsoft IIS denial of service attack
- Information on the File upload hole in Netscape Navigator 2.0, 3.0, 3.01 and Communicator 4.0
- Typographical errors fixed.
Version 1.3.8, June 11, 1997
- Information on the PHP and file.pl CGI holes.
- A new section on vulnerabilities in the Novell WebServer.
- Lots of typo and spelling fixes provided by Paul DuBois <dubois@primate.wisc.edu>).
- New information on Macintosh Quid Pro Quo server log file problems.
Version 1.3.7, May 7, 1997
- Reports of security holes in various CGI scripts, including FrontPage, Selena Sol's guestbook, and Mindshare Out Box. See Q34.
Version 1.3.6, March 29, 1997
- More problems with Internet Explorer.
Version 1.3.5, March 21, 1997
- Information about the ability of Netscape Navigator and IE to reveal user's network login names and passwords.
Version 1.3.4
- Information about a security hole in the nph-publish CGI script.
- More information about the I.E. security hole.
Version 1.3.3
- Added information about bytecode verifier security hole in Java.
Version 1.3.2
- Huge security hole in Internet Explorer 3.01.
Version 1.3.2
- Information on a new security hole discovered in the Microsoft IIS server.
- Beefed up the section on ActiveX security risks, now that true malicious controls (courtesy of the Chaos Computer Club) have made their appearance.
- Miscellaneous typos and URL fixes.
Version 1.3.1
- Information on two newly-discovered security holes in the Apache Web server.
- Information on a recently-released CGI-based password changing program.
- Entire FAQ is now available as a ZIP file.
Version 1.3.0
- New section on ActiveX.
- New section on HTTP cookies.
- Brought Java and JavaScript sections more-or-less up to date.
- Brought sections on electronic commerce up to date.
- Added section on log security hole in Macintosh WebSTAR.
- URL and spelling fixes.
Version 1.2.4
- The Java section has been enlarged in light of new information.
- Multiple links updated.
- Reports of problems with util.c library in Apache and NCSA httpd have been added to the servers bug section.
- Bibliography expanded.
- List of mirror sites is rapidly growing.
Version 1.2.3
- In light of new revelations about security holes in both Java and JavaScript, this section has been largely rewritten.
- Mirror sites are now listed.
- Added The Risks Digest to the bibliography.
Version 1.2.2
- Split the FAQ into bite-sized pieces so that people across the Atlantic can fetch it.
- Moved the Java and JavaScript pieces into Client-Side Security section (this caused a renumbering of questions to occur).
- Updated Java and JavaScript to reflect the fact that all known bugs are fixed in Netscape 2.01.
- Updated section on Microsoft IIS server to reflect the fact that the .BAT file hole is closed.
- Added results of WebStar challenge to section on Macintosh servers.
Version 1.2.1
- Properly credited Jennifer Myers as the discoverer of the NCSA util.c hole.
Version 1.2.0
- Increased coverage of the extremely serious holes in JavaScript. If you are using Netscape 2.0, or if anyone in your organization is, read this.
- Added the Microsoft IIS server to the list of Windows NT servers afflicted by the .BAT CGI script hole.
- Coverage of the security hole recently found in the util.c CGI library distributed by NCSA httpd and incorporated into many C-language CGI scripts.
Version 1.1.9
- Fixed the confusion between Java and JavaScript. Am I the only one confused by the similarity in names?
Version 1.1.8
- More updates on the .BAT file CGI hole on several NT servers, including pointers to O'Reilly's fix for the problem and Purveyor's immunity to the problem.
- Entirely new section on Java.
Version 1.1.7
- The O'Reilly WebSite server has the same hole in .BAT CGI scripts as the Netscape server, so the specific programs section has been updated to reflect this fact.
- Updated the SSL section to reflect the SSL patches for the Apache server.
Version 1.1.6
- Created a new section on security holes in specific problems and populated it with two recent reports on Netscape Communication Server for Windows NT. This section will grow longer; the emphasis on Netscape is a startup artefact.
Version 1.1.5
- Fix to the perl code for sending mail safely. Thanks to William DenBesten for finding this one.
Version 1.1.4
- Fixed a typo in the example of password protecting a page.
Version 1.1.3
- Fixed a bug in the Perl regular expression for parsing Internet e-mail addresses (caught by Enzo Michelangelo).
- Fixed address of Trusted Information Systems FTP site.
Version 1.1.2
- Added discussion of IP address restriction suggested by Paul Phillips.
Version 1.1.1
- Added the European mirror site at www.Austria.EU.net.
Version 1.1
- Beefed up the client side security section using material graciously provided by Laura Pearlman.
- Fixed a number of incorrect URLs, including the address of Safe Perl.
- Added information about the Microsoft Word "prank macro" (thanks to Neal McBurnett).