Guidelines on Securing Public Web Servers
attacker can enter certain types of information that may negatively impact the Web server or
compromise its security. For example, one common attack against content generators is a
buffer overflow. In this type of attack, a malicious entity will send large amounts of
information to the content generator. The large amount of information will overflow the
memory allocated to the content generator and, if formatted appropriately, this information
overflow can be used to execute commands or gain unauthorized access to the Web server.
All Web sites that implement active content and content generators should perform additional
steps to protect the active content from compromise. These steps, which are discussed in the
following sections, may not apply to all installations; therefore, they should be used as
guidance in conjunction with appropriate vendor documentation.
Special caution is also required for downloading preprogrammed scripts or executables from
the Internet. Many Web administrators and Webmasters are tempted to save time by
downloading freely available code from the Internet. Although this is obviously convenient, it
is not risk free. There are many examples of malicious code being distributed this way. In
general, no third party scripts should be installed on a Web server until subjected to a thorough
code review by a trusted expert.
6.3.1 Client Side Active Content Technologies and Related Vulnerabilities
A wide variety of client side (Web browser) active content technologies is available. Each
technology has its own strengths and weaknesses, and none is perfectly secure. Some of the
most popular active content technologies and their associated risks are discussed below. New
technologies are being released all the time. Any Web administrator or Webmaster, who is
considering deploying a Web site with features that require active content technology at the
client side, should carefully weigh the risks and benefits of the technology before
implementation. In particular, Web administrators and Webmasters need to be aware that even
if their content does not present a threat to the user, active content from other sites may present
a threat, and that the user may not remember to secure the browser settings when required.
PostScript
is one of the earliest examples of active content still in use today. PostScript is a
powerful page description language from Adobe that uses language statements in text files that
are translated by the PostScript interpreter to accurately display a page on any host that
supports PostScript. This powerful language can be used maliciously to execute commands on
the host interpreting the PostScript document. Unfortunately, the best protection against this
type of attack is to disable certain commands within the PostScript interpreter, which can
negatively affect its overall functionality [NIST01a].
Portable Document Format (PDF)
is a page description language from Adobe for
specifying the appearance of the page containing text, graphics, and images, using the same
high level, device independent image model employed by PostScript. This format is
eventually created and read by Adobe Acrobat. Although less susceptible than some other
types of active content, a number of vulnerabilities are associated with the PDF and the
applications that support it. PDF files can be used to deploy malicious code, and certain
versions of the commonly used Adobe Acrobat reader application are susceptible to buffer
overflow vulnerabilities that can be used to crash and execute code on client hosts [NIST01a].
Java
is a full featured, object oriented programming language compiled into platform
independent byte code executed by an interpreter called the Java Virtual Machine (JVM). The
resulting byte code can be executed where compiled or transferred to another Java enabled
41