is allowing full access to cgi-bin a big security issue?

**yanksfan** · June 10th, 2002, 10:45 PM

My question:

If I allowed someone free access to their own cgi-bin on my server (after they register), and odviously allowed to execute any perl script for a maximum of 20 secs exec time, would that be a big security issue? Does anyone know what they can do if they had that kind of access and wether it is really serious, like wether they can gain root access, contact other servers, etc?

-Mike

**ZeroOne** · June 10th, 2002, 10:53 PM

So like if they could do and run any kind of cgi-programs they want and just for example download your password file and brute force it open? Or if they did a quick search with Google on "cgi exploits" and got thousands of valid pages as an answer and then try all those on your server? Nah, it can't be a big deal...

***the_JinX*** · June 10th, 2002, 11:01 PM

ehm

contact other servers

and lots more..

http://tp2.be/ping.html (ping urself from tp2.be)

**ZeroOne** · June 10th, 2002, 11:23 PM

Searched the web for cgi exploits. Results 1 - 20 of about 52,400. Search took 0.15 seconds.

Just had to try it.

Actually this like to many other security things is just a matter of configuration (I'd suggest you configure it so that the users do not have full priviledges to you cgi stuff... Which actually is an answer to your question...)

You might want to search Google for 'hack proofing', dunno if it's any good: http://www.google.com/search?num=20&...=hack+proofing .

**Reality** · June 10th, 2002, 11:40 PM

And that is why very few free sites allow cgi access. I wouldn't recommend giving someone that kind of power unless you know them personally.

**yanksfan** · June 11th, 2002, 02:05 AM

Does anyone know how would I be able to limit their cgi access? (I didn't actually give anyone full cgi-access yet, it was just a thought, and I figured before I did that, I better secure it first). All I did so far was limit the execution time to 20 seconds, like I said in the first post.

I could take out some of the dangerous the built in perl modules so they can't use those, but I bet they could always insert their own.....

-Mike

***gold eagle*** · June 11th, 2002, 02:13 PM

You could limit file and directory perms to start.

***DjM*** · June 11th, 2002, 03:14 PM

HERE is some information on CGI Security, maybe something here can help you out or give you a few ideas.

Cheers:

**ntsa** · June 11th, 2002, 07:03 PM

Originally posted here by yanksfan
My question:

If I allowed someone free access to their own cgi-bin on my server (after they register), ..., would that be a big security issue?

Does a bear in the woods $h17 where it wants? Does the Pope wear a silly hat? I think you'll find the answer to all of these questions a resounding YES.

If you want more in depth than that you could probably be a bit more specific about your box and config. In basic terms however the cgi-bin, or any directory with execute permissions set, allows code to be run. If a user can upload and run any code they want they own your box.

**yanksfan** · June 11th, 2002, 10:20 PM

I'm running Sambar (yes, Sambar, not Samba, from www.sambar.com) on a WinME box, so the only permissions I can set is read-only. I've got a cheap firewall built into my 3com router, also server box is 667mhz, 192mb RAM, 20gb hd.

-Mike

Thread: is allowing full access to cgi-bin a big security issue?

Thread Tools

Display

is allowing full access to cgi-bin a big security issue?

Re: is allowing full access to cgi-bin a big security issue?

Posting Permissions