The World Wide Web Security FAQ

• Up to Table of contents
• Backward to Introduction
• Forward to General Questions

2. What's New?

1. Version 1.3.0
   • New section on ActiveX
   • New section on HTTP cookies
   • Brought Java and JavaScript sections more-or-less up to date.
   • Brought sections on electronic commerce up to date.
   • Added section on log security hole in Macintosh WebSTAR
   • URL and spelling fixes.
2. Version 1.2.4
   • The Java section has been enlarged in light of new information.
   • Multiple links updated.
   • Reports of problems with util.c library in Apache and NCSA httpd have been added to the servers bug section.
   • Bibliography expanded.
   • List of mirror sites is rapidly growing.
3. Version 1.2.3
   • In light of new revelations about security holes in both Java and JavaScript, this section has been largely rewritten.
   • Mirror sites are now listed.
   • Added The Risks Digest to the bibliography.
4. Version 1.2.2
   • Split the FAQ into bite-sized pieces so that people across the Atlantic can fetch it.
   • Moved the Java and JavaScript pieces into Client-Side Security section (this caused a renumbering of questions to occur).
   • Updated Java and JavaScript to reflect the fact that all known bugs are fixed in Netscape 2.01.
   • Updated section on Microsoft IIS server to reflect the fact that the .BAT file hole is closed.
   • Added results of WebStar challenge to section on Macintosh servers.
5. Version 1.2.1
   • Properly credited Jennifer Myers as the discover of the NCSA util.c hole.
6. Version 1.2.0
   • Increased coverage of the extremely serious holes in JavaScript. If you are using Netscape 2.0, or if anyone in your organization is, read this.
   • Added the Microsoft IIS server to the list of Windows NT servers afflicted by the .BAT CGI script hole.
   • Coverage of the security hole recently found in the util.c CGI library distributed by NCSA httpd and incorporated into many C-language CGI scripts.
7. Version 1.1.9
   • Fixed the confusion between Java and JavaScript. Am I the only one confused by the similarity in names?
8. Version 1.1.8
   • More updates on the .BAT file CGI hole on several NT servers, including pointers to O'Reilly's fix for the problem and Purveyor's immunity to the problem.
   • Entirely new section on Java.
9. Version 1.1.7
   • The O'Reilly WebSite server has the same hole in .BAT CGI scripts as the Netscape server, so the specific problems section has been updated to reflect this fact.
   • Updated the SSL section to reflect the SSL patches for the Apache server.
10. Version 1.1.6
    • Created a new section on security holes in specific problems and populated it with two recent reports on Netscape Communication Server for Windows NT. This section will grow longer; the emphasis on Netscape is a startup artefact.
11. Version 1.1.5
    • Fix to the perl code for sending mail safely. Thanks to] William DenBesten for finding this one.
12. Version 1.1.4
    • Fixed a typo in the example of password protecting a page.
13. Version 1.1.3
    • Fixed a bug in the Perl regular expression for parsing internet e-mail addresses (caught by Enzo Michelangelo).
    • Fixed address of Trusted Information Systems FTP site.
14. Version 1.1.2
    • Added discussion of IP address restriction suggested by Paul Phillips
15. Version 1.1.1
    • Added the European mirror site at www.Austria.EU.net
16. Version 1.1
    • Beefed up the client side security section using material graciously provided by Laura Pearlman.
    • Fixed a number of incorrect URLs, including the address of Safe Perl.
    • Added information about the Microsoft Word "prank macro" (thanks to Neal McBurnett)

• Up to Table of contents
• Backward to Introduction
• Forward to General Questions