[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: publish a user & passwd: $1000 hack reward!

Peter Cords said:

If you allow execution of
CGI programs from public_html, then users will be able to execute code
(probably under their UID).  Then you have to secure your machine against
local exploits.  Obviously, you should do this anyway, but if crackers can
run arbitrary code (as a non-priviledged user), then you will have to act
really fast to stop yourself from getting cracked whenever a new local
exploit is discovered.

 Note that if you allow execution of arbitrary CGI programs, the CGI program
could do anything, including start a shell listening on a TCP port, or even
sshd, for someone to connect to.  Allowing arbitrary CGI is equivalent to
giving public shell access.

I have several cgi-scripts on the site. One is a data base program open to public searching of information. is any cgi- script at risk if is in the cgi-bin?


Reply to: