[lug] cgi shell
mlists at newmediaone.com
Mon Feb 3 16:42:16 MST 2003
What you need to do is make sure your permissions are correct on your
server, as the web server is public, and should be treated as a system user.
So anything you don't want accessed via a script like this need to have
permissions that protect it from user "nobody", or whatever user your web
server is running as.
You can also have Perl scripts run as different users using SuExe with
Apache, but the same issues hold true, just for multiple users instead of
New Media One Web Services
New Upgrades Are Now Live!!!
Windows 2000 accounts - Cold Fusion 5.0 and Imail 7.1
Sun Solaris (UNIX) accounts - PHP 4.1.2, mod_perl/1.25,
Stronghold/3.0 (Apache/1.3.22), MySQL 3.23.43
PostgreSQL coming soon!
webmaster at newmediaone.net
----- Original Message -----
From: "jd" <lug at taproot.bz>
To: "lug" <lug at lug.boulder.co.us>
Sent: Monday, February 03, 2003 4:23 PM
Subject: [lug] cgi shell
> Today at slashdot there is a write-up about
> a cgi shell.
> so i downloaded it and tried it...pretty scary, it allowed me
> to get to / and go where ever I wanted. Is there a way to
> allow users to have a cgi-bin but stop this sort of behavior?
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG