Printable View
My question:
If I allowed someone free access to their own cgi-bin on my server (after they register), and odviously allowed to execute any perl script for a maximum of 20 secs exec time, would that be a big security issue? Does anyone know what they can do if they had that kind of access and wether it is really serious, like wether they can gain root access, contact other servers, etc?
-Mike
So like if they could do and run any kind of cgi-programs they want and just for example download your password file and brute force it open? Or if they did a quick search with Google on "cgi exploits" and got thousands of valid pages as an answer and then try all those on your server? Nah, it can't be a big deal... ;):rolleyes:
ehm
and lots more..Quote:
contact other servers
http://tp2.be/ping.html (ping urself from tp2.be)
Just had to try it. :)Quote:
Searched the web for cgi exploits. Results 1 - 20 of about 52,400. Search took 0.15 seconds.
Actually this like to many other security things is just a matter of configuration (I'd suggest you configure it so that the users do not have full priviledges to you cgi stuff... Which actually is an answer to your question...)
You might want to search Google for 'hack proofing', dunno if it's any good: http://www.google.com/search?num=20&...=hack+proofing .
And that is why very few free sites allow cgi access. I wouldn't recommend giving someone that kind of power unless you know them personally.
Does anyone know how would I be able to limit their cgi access? (I didn't actually give anyone full cgi-access yet, it was just a thought, and I figured before I did that, I better secure it first). All I did so far was limit the execution time to 20 seconds, like I said in the first post.
I could take out some of the dangerous the built in perl modules so they can't use those, but I bet they could always insert their own.....
-Mike
You could limit file and directory perms to start.
HERE is some information on CGI Security, maybe something here can help you out or give you a few ideas.
Cheers:
Does a bear in the woods $h17 where it wants? Does the Pope wear a silly hat? I think you'll find the answer to all of these questions a resounding YES.Quote:
Originally posted here by yanksfan
My question:
If I allowed someone free access to their own cgi-bin on my server (after they register), ..., would that be a big security issue?
If you want more in depth than that you could probably be a bit more specific about your box and config. In basic terms however the cgi-bin, or any directory with execute permissions set, allows code to be run. If a user can upload and run any code they want they own your box.
I'm running Sambar (yes, Sambar, not Samba, from www.sambar.com) on a WinME box, so the only permissions I can set is read-only. I've got a cheap firewall built into my 3com router, also server box is 667mhz, 192mb RAM, 20gb hd.
-Mike