FirstSearch via WWW: automatic login?

Prentiss Riddle riddle at is.rice.edu
Fri Apr 5 15:07:42 EST 1996 

> From John.Lewis at vt.edu  Fri Apr  5 10:05:14 1996
> Date: Fri, 05 Apr 1996 11:04:39 -0500
> To: riddle at is.rice.edu, web4lib at library.berkeley.edu
> From: "John D. Lewis" <John.Lewis at vt.edu>
> Subject: Re: FirstSearch via WWW: automatic login?
> 
> At 07:29 AM 4/5/96 -0800, you (Prentiss Riddle) wrote:
> [about the WebScript docs, in your note to OCLC]
> >(3) You say that it is necessary to "limit access to the Web page
> >containing the link to FirstSearch" in order to limit FirstSearch
> >access to your institution's servers.  Unless I'm mistaken, this is
> >incorrect -- what is necessary is to limit access to the CGI directory
> >containing the WebScript script (fs.scr).
> 
> I don't quite understand what you mean by "limit access to the CGI directory
> containing the WebScript script" -- other than servers where CGI is enabled
> for the whole site (not a good idea!), the cgi-bin directory (or equiv.)
> should not be browsable, yet a user who knows the name of a script can
> directly run a program (e.g. http://www.where.ever/cgi-bin/fs.scr), thus
> gaining potentially unauthorized access to FirstSearch.

Under our main cgi-bin directory we have a subdirectory where we put
the fs.scr script.  In that subdirectory we have also placed a
".htaccess" file limiting the directory and its contents to the Rice
campus.  My tests indicate that NCSA httpd *does* honor a .htaccess
file in a CGI directory.

> It is not possible to make fs.scr truly secure in its current
> implementation. That is why OCLC has distributed a perl script written by an
> independent programmer to improve its security. However, this is a thin vail
> -- a compromise is still very simple to execute, as the program itself, when
> in the cgi-bin directory, can be executed directly, bypassing the perl script. 
Can you be more specific about the security problem?  Are you just
talking about the problem of making "http://www.where.ever/cgi-bin/fs.scr"
inaccessible from off campus?  If so, I think I addressed the issue
above.  Or is there an additional security problem?

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle at rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708

More information about the Web4lib mailing list