FirstSearch via WWW: automatic login?

[John D. Lewis]

At 07:29 AM 4/5/96 -0800, you (Prentiss Riddle) wrote:
[about the WebScript docs, in your note to OCLC]
>(3) You say that it is necessary to "limit access to the Web page
>containing the link to FirstSearch" in order to limit FirstSearch
>access to your institution's servers.  Unless I'm mistaken, this is
>incorrect -- what is necessary is to limit access to the CGI directory
>containing the WebScript script (fs.scr).

I don't quite understand what you mean by "limit access to the CGI directory
containing the WebScript script" -- other than servers where CGI is enabled
for the whole site (not a good idea!), the cgi-bin directory (or equiv.)
should not be browsable, yet a user who knows the name of a script can
directly run a program (e.g. http://www.where.ever/cgi-bin/fs.scr), thus
gaining potentially unauthorized access to FirstSearch.

It is not possible to make fs.scr truly secure in its current
implementation. That is why OCLC has distributed a perl script written by an
independent programmer to improve its security. However, this is a thin vail
-- a compromise is still very simple to execute, as the program itself, when
in the cgi-bin directory, can be executed directly, bypassing the perl script. 

I have expressed severe concerns to OCLC over the lack of solid security
around fs.scr. They have replied, but failed to provide a more adequate
solution. In my opinion, the ball is in their court, as additional security
must be built into the WebScript architecture itself.

P.S. Don't get me wrong -- I think it's a good first step. But there is
still a ways to go.

>-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle at rice.edu

John.
____________________________________________________
John D. Lewis, Programmer        <john.lewis at vt.edu>
Newman Library, VA Tech  http://johnlewis.lib.vt.edu
Voice: (540) 231-9243            Fax: (540) 231-9263
          PGP Key Available on request