![]() Table of Contents
|
Introduction Challenger handles two types of third-party extensions, Challenger modules and CGI-scripts. With any extension you install on your web server you must take the security issues into account. You must trust the programmer of the extension to have written it with security in mind. The main problem is how user input is handled, what will happen if the extension gets a megabyte of machine code instead of the line of text it expected.
Challenger modules
Challenger takes care of a lot of potential security issues by itself. For example, it is impossible to make a buffer overrun bug that enables an attacker to execute machine code. But, this does not mean that the programmer of a Challenger module can ignore security considerations. A Challenger module will always be run with the same permission as the Challenger server and any security hazard in the module will affect the whole server. Therefore, we recommend you only run modules distributed by reputable websites.
CGI-scripts
When writing CGI-scripts, the programmer has to take care of all security issues herself. This is currently not a skill all programmers possess, it has only been an issue for a little while. Therefore, CGI-scripts are a major cause of security hazards today. Challenger has the option of running CGI-scripts as a low privilege user. Use this to make sure that the CGI-script can cause as little damage as possible. Only download CGI-scripts from websites that show that they treat security issues seriously. |