[lug] cgi shell
Rob Riggs
rob at pangalactic.org
Mon Feb 3 17:04:06 MST 2003
jd wrote:
>Hello,
> Today at slashdot there is a write-up about
>a cgi shell.
>http://slashdot.org/article.pl?sid=03/02/03/1531246&mode=thread&tid=162&tid=156
>
>so i downloaded it and tried it...pretty scary, it allowed me
>to get to / and go where ever I wanted. Is there a way to
>allow users to have a cgi-bin but stop this sort of behavior?
>
>
>
Anyone who can install CGI applications can grant anyone with access to
the web server the same level of access that any CGI application has.
This generally means the same level of access as the web server's EUID.
The only way to limit the access is through something like CHROOT.
There is a patch for Apache to do just this:
http://home.iae.nl/users/devet/apache/chroot/ .
In my experience, most web hosting services do not allow clients to
install CGI applications on shared systems. Anyone needing CGI access
generally has to rent a seperate server so that their security mistakes
affect only them.
-Rob
More information about the LUG
mailing list