As long as we're naming insecure Web sites, let's not forget this
one: WINDOWS Magazine.
In running the security check on our own site, we discovered several
of the Web server security holes discussed in this article. We
did a mediocre job on the security checklist, too. Because we
left the vendor's sample files in place, it was especially easy
to exploit one of the security holes.
We were bitten by these bugs for the same reasons many other sites
are stricken. When we launched our Web server, we left all the
files from the original installation in place, since we weren't
sure which files were samples and which were really necessary
for operation. We didn't keep up with security alerts, and we
didn't check for vendor updates. In addition, while testing the
CGI scripting, someone left a sensitive program file in the CGI
directory. Finally, three different people were responsible for
different aspects of server operation. When files were changed
or created, it was easy to assume that it was someone else's work.
We've now cleaned up those sample files and updated to the latest
Web server software version, which closed those particular security
holes for good. We've also mapped out responsibilities, so it's
clear who needs to take care of what. We check regularly for unusual
occurrences in the server logs now ... and we're a lot more paranoid.
