[lug] cgi shell

Rob Riggs rob at pangalactic.org
Mon Feb 3 17:04:06 MST 2003

jd wrote:

> Today at slashdot there is a write-up about
>a cgi shell.
>so i downloaded it and tried it...pretty scary, it allowed me
>to get to / and go where ever I wanted. Is there a way to
>allow users to have a cgi-bin but stop this sort of behavior?
Anyone who can install CGI applications can grant anyone with access to 
the web server the same level of access that any CGI application has. 
 This generally means the same level of access as the web server's EUID. 
The only way to limit the access is through something like CHROOT. 
 There is a patch for Apache to do just this: 
http://home.iae.nl/users/devet/apache/chroot/ .

In my experience, most web hosting services do not allow clients to 
install CGI applications on shared systems.  Anyone needing CGI access 
generally has to rent a seperate server so that their security mistakes 
affect only them.


More information about the LUG mailing list