[lug] cgi shell
mohadib at ns2.taproot.bz
Tue Feb 4 14:12:50 MST 2003
On Tue, 2003-02-04 at 13:04, Sean Reifschneider wrote:
> On Mon, Feb 03, 2003 at 04:23:02PM -0700, jd wrote:
> >so i downloaded it and tried it...pretty scary, it allowed me
> >to get to / and go where ever I wanted. Is there a way to
> What's so scary about that? If you allow your users to install their
> own CGIs, then they've always had the ability to do this sort of thing,
> wether using "cgishell" or writing a cgi that does an
> "os.system('/bin/ls')" sort of call...
> If you are allowing your users to install their own CGIs, they already
> have these abilities. If that scares you, you obviously need to do some
> work on the security on your system. ;-)
> cgiwrap and appropriate permissions for each user directory are probably
> the minimum security steps you want to take. It depends on what you're
> interested in protecting, though...
Yes, i dont know why it never occured to me before...but now, you dont
even have to be creative or write your own script...just install it..
So, I just chrooted apache.....and got up2date working in there too now!
I like the idea of cgi-wrap ... but chroot seems to protect me from
more than just the odd nasty cgi.
More information about the LUG