USPS Information Technology Committee Bulletin # 03 - 29 January 2004
------------------------------------------------------------------------------

This IT Com bulletin is being sent to all USPS IT contacts
for web pages and addresses a security issue surrounding the
use of cgi scripts.  

If you are a squadron or district contact and are using the
counter function on the USPS server, please read, at least,
the fourth paragraph.  If you are the contact for a national
committee or department, please read this entire bulletin.

The practice on the USPS server has been to allow scripts to
be intermixed with web pages in directories within the
/national root directory.  This is a very insecure practice
and the proliferation of hackers makes this a serious source
of concern. A much more security practice is to place all
scripts in secure directories which are not in the site
directory tree (under the root web address www.usps.org).
These directories will be maintained by the IT committee and
will be accessed via the virtual web server directories
/cgi-bin, /cgi-bin-nat, and /cgi-bin-tools.  On or about
May 1, 2004, the ability to execute scripts from other than
these directories will be turned off.

What does this mean to you?  The first step, which is already
in progress, will be to move all current scripts in the
/scripts directory to the /cgi-bin directory.  This means
that any page referencing these scripts must be changed to
reference /cgi-bin instead of /scripts. Probably the biggest
impact is on the use of /scripts/count.cgi.  A copy of
/scripts/count.cgi will remain on the server until the
cutover to the /cgi-bin directory in May.  Pages using
/scripts/count.cgi should be change, as soon as possible, to
reference /cgi-bin/count.cgi.  Reference to any other scripts
in the /scripts directory should also be changed. There are
no plans on keeping duplicate scripts, other than count.cgi,
until May.

In May all scripts not in a cgi-bin directory will cease to
work.  This means that by the cutover date all scripts must
be migrated to the cgi-bin directories and tested.  Since
the directories are protected, only individuals with the
correct security privileges will be able to move scripts
into them.  Only certain members of the IT committee have
this security.  As part of this process, it will be necessary
to let the IT committee know what the script does and why it
is needed.  The IT committee will also review the scripts to
check for security and performance issues.

We appreciate your cooperation in this attempt to make the
server more secure.

-----
The most commonly used one is fclass.cgi?x where x is the 
district number.  If you use any of this script or any similar
scripts, they have been moved. As an example, on the server,
/scripts/fclass.cgi?4 
has been moved to 
/cgi-bin/fclass.cgi?4
If you are referencing these scripts from a server other than 
the USPS server, this script can now be found at
http://www.usps.org/cgi-bin/fclass.cgi?4
-----

Any questions contact Dan Bartell dtb@usps.org