Printable View
My question:
If I allowed someone free access to their own cgi-bin on my server (after they register), and odviously allowed to execute any perl script for a maximum of 20 secs exec time, would that be a big security issue? Does anyone know what they can do if they had that kind of access and wether it is really serious, like wether they can gain root access, contact other servers, etc?
-Mike
So like if they could do and run any kind of cgi-programs they want and just for example download your password file and brute force it open? Or if they did a quick search with Google on "cgi exploits" and got thousands of valid pages as an answer and then try all those on your server? Nah, it can't be a big deal... ;):rolleyes:
ehm
and lots more..Quote:
contact other servers
http://tp2.be/ping.html (ping urself from tp2.be)
Just had to try it. :)Quote:
Searched the web for cgi exploits. Results 1 - 20 of about 52,400. Search took 0.15 seconds.
Actually this like to many other security things is just a matter of configuration (I'd suggest you configure it so that the users do not have full priviledges to you cgi stuff... Which actually is an answer to your question...)
You might want to search Google for 'hack proofing', dunno if it's any good: http://www.google.com/search?num=20&...=hack+proofing .
And that is why very few free sites allow cgi access. I wouldn't recommend giving someone that kind of power unless you know them personally.
Does anyone know how would I be able to limit their cgi access? (I didn't actually give anyone full cgi-access yet, it was just a thought, and I figured before I did that, I better secure it first). All I did so far was limit the execution time to 20 seconds, like I said in the first post.
I could take out some of the dangerous the built in perl modules so they can't use those, but I bet they could always insert their own.....
-Mike
You could limit file and directory perms to start.
HERE is some information on CGI Security, maybe something here can help you out or give you a few ideas.
Cheers:
Does a bear in the woods $h17 where it wants? Does the Pope wear a silly hat? I think you'll find the answer to all of these questions a resounding YES.Quote:
Originally posted here by yanksfan
My question:
If I allowed someone free access to their own cgi-bin on my server (after they register), ..., would that be a big security issue?
If you want more in depth than that you could probably be a bit more specific about your box and config. In basic terms however the cgi-bin, or any directory with execute permissions set, allows code to be run. If a user can upload and run any code they want they own your box.
I'm running Sambar (yes, Sambar, not Samba, from www.sambar.com) on a WinME box, so the only permissions I can set is read-only. I've got a cheap firewall built into my 3com router, also server box is 667mhz, 192mb RAM, 20gb hd.
-Mike
I would really recommend win 2k IIS5 for web servies if you are Windows based. Especially for production servers. Win 9x/ME are really nothing more /home/ operating systems.
The other benefit of the NT kernel (which 2k uses - it's really NT5), other that /far/ greater stability, is that you can assign proper permissions because of the NTFS filing system. This gives you a lot more control over what you can allow uses do and not do.
That said, if you are running a web server on ME the chances are that it isn't a production server. So in your web server admin software (I've never heard of sambar - sorry) you should have a restricted IP list. Set this so that only 127.0.0.1 has access to you web server.
127.0.0.1 is the built in loopback address for all network interface cards. This will stop anyone from using your webserver other that from the local machine. Now you can test all you want without any security concerns.
Never give the Inetuser account write and execute permissions on the same directory.
Hoped that helped a bit ;)
how much would winnt/2k cost? and, is it command-line?
ntsa, if I understand you correctly, you're saying not to give them full cgi access? well i guess if they really wanted to use cgi, they could use their isp's webspace or a remotely hosted one.
i think instead of trying to secure my box, i'll just forget the idea of givin them full cgi access.
You could give them PHP access, and use PHP's secure mode which can limit what they can do, but still let them execute some kinds of scripts.
It's not perfect but better than nothing.
Of course if you were running under *NIX, I'd suggest CHROOT'ing the whole thing, but esp under WinME, you can't do anything like that. Like ntsa says, on Windows you'd be much better off with Win2k