is allowing full access to cgi-bin a big security issue?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: is allowing full access to cgi-bin a big security issue?

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    214

    Question is allowing full access to cgi-bin a big security issue?

    My question:

    If I allowed someone free access to their own cgi-bin on my server (after they register), and odviously allowed to execute any perl script for a maximum of 20 secs exec time, would that be a big security issue? Does anyone know what they can do if they had that kind of access and wether it is really serious, like wether they can gain root access, contact other servers, etc?

    -Mike

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    So like if they could do and run any kind of cgi-programs they want and just for example download your password file and brute force it open? Or if they did a quick search with Google on "cgi exploits" and got thousands of valid pages as an answer and then try all those on your server? Nah, it can't be a big deal...
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    ehm
    contact other servers
    and lots more..

    http://tp2.be/ping.html (ping urself from tp2.be)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    Searched the web for cgi exploits. Results 1 - 20 of about 52,400. Search took 0.15 seconds.
    Just had to try it.

    Actually this like to many other security things is just a matter of configuration (I'd suggest you configure it so that the users do not have full priviledges to you cgi stuff... Which actually is an answer to your question...)

    You might want to search Google for 'hack proofing', dunno if it's any good: http://www.google.com/search?num=20&...=hack+proofing .
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  5. #5
    Member
    Join Date
    May 2002
    Posts
    74
    And that is why very few free sites allow cgi access. I wouldn't recommend giving someone that kind of power unless you know them personally.
    The more I deal with people, the more I LOVE my computer.

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Does anyone know how would I be able to limit their cgi access? (I didn't actually give anyone full cgi-access yet, it was just a thought, and I figured before I did that, I better secure it first). All I did so far was limit the execution time to 20 seconds, like I said in the first post.

    I could take out some of the dangerous the built in perl modules so they can't use those, but I bet they could always insert their own.....

    -Mike
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    You could limit file and directory perms to start.
    Trappedagainbyperfectlogic.

  8. #8
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    HERE is some information on CGI Security, maybe something here can help you out or give you a few ideas.


    Cheers:
    DjM

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    Re: is allowing full access to cgi-bin a big security issue?

    Originally posted here by yanksfan
    My question:

    If I allowed someone free access to their own cgi-bin on my server (after they register), ..., would that be a big security issue?
    Does a bear in the woods $h17 where it wants? Does the Pope wear a silly hat? I think you'll find the answer to all of these questions a resounding YES.

    If you want more in depth than that you could probably be a bit more specific about your box and config. In basic terms however the cgi-bin, or any directory with execute permissions set, allows code to be run. If a user can upload and run any code they want they own your box.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    I'm running Sambar (yes, Sambar, not Samba, from www.sambar.com) on a WinME box, so the only permissions I can set is read-only. I've got a cheap firewall built into my 3com router, also server box is 667mhz, 192mb RAM, 20gb hd.

    -Mike
    Either get busy living or get busy dying.

    -The Sawshank Redemption

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •