The World Wide Web Security FAQ
Recent versions of the FAQ.
- Version 1.7.0, January 19, 1998
- Version 1.6, 1.6.1, January 16, 1998
- Version 1.5.1, November 6, 1997
- Added the Count.cgi script to the list of buggy CGI scripts.
- Added information about the sbox wrapper for running CGI
scripts in a multihosted environment.
- Minor URL and e-mail address fixes.
- Version 1.5, November 1, 1997
- New sections on accepting site certificates and
- New information on old log directory configuration bugs in Netscape servers and possibly other commercial
servers as well.
- The Mac has been cracked! See here for details.
- Section on HTTP cookies
updated to include information on "cookie cutter" and anonymizing
- Information on the new security features in Netscape 4.0
and IE 4.0 added to several sections in Client Side Security.
- Multiple typographical errors and grammar problems cleaned up.
- Version 1.4.1, September 3, 1997
- Version 1.4.0, July 10, 1997
- Version 1.3.9, June 25, 1997
- Version 1.3.8, June 11, 1997
- Version 1.3.7, May 7, 1997
- Reports of security holes in various CGI scripts,
including FrontPage, Selena Sol's guestbook, and
Mindshare Out Box. See Q34.
- Version 1.3.6, March 29, 1997
- Version 1.3.5, March 21, 1997
- Version 1.3.4
- Version 1.3.3
- Version 1.3.2
- Version 1.3.2
- Information on a new security hole discovered in the
Microsoft IIS server.
- Beefed up the section on ActiveX security risks, now that
true malicious controls (courtesy of the Chaos Computer Club)
have made their appearance.
- Miscellaneous typos and URL fixes.
- Version 1.3.1
- Version 1.3.0
- New section on ActiveX.
- New section on HTTP cookies.
- Brought sections on electronic commerce up to date.
- Added section on log security hole in Macintosh WebSTAR.
- URL and spelling fixes.
- Version 1.2.4
- The Java section has been enlarged in light of new
- Multiple links updated.
- Reports of problems with
util.c library in
Apache and NCSA httpd have been added to the servers bug
- Bibliography expanded.
- List of mirror sites is rapidly growing.
- Version 1.2.3
this section has been largely rewritten.
- Mirror sites are now listed.
- Added The Risks Digest to the bibliography.
- Version 1.2.2
- Split the FAQ into bite-sized pieces so that people across the
Atlantic can fetch it.
Client-Side Security section (this caused a renumbering of questions
fixed in Netscape 2.01.
- Updated section on Microsoft IIS server to reflect the fact that the .BAT file
hole is closed.
- Added results of WebStar challenge to section on Macintosh servers.
- Version 1.2.1
- Properly credited Jennifer Myers as the discoverer of the
- Version 1.2.0
- Increased coverage of the extremely serious holes
or if anyone in your organization is, read
- Added the Microsoft IIS server
to the list of Windows NT servers
afflicted by the .BAT CGI script hole.
- Coverage of the security hole recently found in the
util.c CGI library distributed by NCSA httpd
and incorporated into many C-language CGI scripts.
- Version 1.1.9
one confused by the similarity in names?
- Version 1.1.8
- Version 1.1.7
- The O'Reilly WebSite server has the same hole in .BAT CGI scripts
as the Netscape server, so the specific programs section has been
updated to reflect this fact.
- Updated the SSL section to reflect the SSL patches for the
- Version 1.1.6
- Created a new section on security holes in specific problems
and populated it with two recent reports on Netscape Communication
Server for Windows NT. This section will grow longer;
the emphasis on Netscape is a startup artefact.
- Version 1.1.5
- Fix to the perl code for sending mail safely. Thanks to
William DenBesten for finding this one.
- Version 1.1.4
- Fixed a typo in the example of password protecting a page.
- Version 1.1.3
- Fixed a bug in the Perl regular expression for parsing
Internet e-mail addresses (caught by Enzo Michelangelo).
- Fixed address of Trusted Information Systems FTP
- Version 1.1.2
- Added discussion of IP address restriction suggested by
- Version 1.1.1
- Added the European mirror site at www.Austria.EU.net.
- Version 1.1
Lincoln D. Stein
Last modified: Mon Jan 19 13:06:58 EST 1998