[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: publish a user & passwd: $1000 hack reward!

On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote:
> Peter Cords said:
> > [...]
> >  Note that if you allow execution of arbitrary CGI programs, the CGI program
> >could do anything, including start a shell listening on a TCP port, or even
> >sshd, for someone to connect to.  Allowing arbitrary CGI is equivalent to
> >giving public shell access.
> I have several cgi-scripts on the site. One is a data base program open to 
> public searching of information. is any cgi- script at risk if is in the 
> cgi-bin?

 No, that's not what I was talking about.  The CGI scripts that you are
running now were set up by you, and do good things, not bad things.  If you
give out usernames/passwords, then a cracker could install her own CGI
script.  The risk is in letting them install new CGI scripts, not anything
to do with currently installed CGI scripts.

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: