Re: publish a user & passwd: $1000 hack reward!
On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote:
> Peter Cords said:
>
> > [...]
> > Note that if you allow execution of arbitrary CGI programs, the CGI program
> >could do anything, including start a shell listening on a TCP port, or even
> >sshd, for someone to connect to. Allowing arbitrary CGI is equivalent to
> >giving public shell access.
>
> I have several cgi-scripts on the site. One is a data base program open to
> public searching of information. is any cgi- script at risk if is in the
> cgi-bin?
No, that's not what I was talking about. The CGI scripts that you are
running now were set up by you, and do good things, not bad things. If you
give out usernames/passwords, then a cracker could install her own CGI
script. The risk is in letting them install new CGI scripts, not anything
to do with currently installed CGI scripts.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: