[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Considering cgi-wrap debug function as a security-risk ?
- Subject: [cobalt-security] Considering cgi-wrap debug function as a security-risk ?
- From: "H.P. Stroebel" <hpstr@xxxxxxxxxxxxx>
- Date: Sun, 14 May 2000 13:14:29 +0200
Hi,
on http://www.unixtools.org/cgiwrap/faq.html (linked from the knowledge
base) i found this (for me helpful) instructions :
+How do I use cgiwrapd on a Cobalt RaQ?
+
+cgiwrapd is still there, it just isn't directly obvious how to use it.
+If you normally call your script as
+http://www.site1.com/test.cgi
+you can call it as
+http://www.site1.com/cgiwrapDir/cgiwrapd/test.cgi
+to run it under cgiwrapd. Basically they ScriptAlias "cgiwrapDir" to
+the directory where cgiwrap is installed.
It helped me to run a cgi script containing some errors, creating the
following output (edited for better layout, deleted some unimportant
junk) :
+Cobalt RaQ virtual site CGI wrapper
+Environment Variables:
+ QUERY_STRING: ''
+ SCRIPT_NAME: '/cgiwrapDir/cgiwrapd'
+ PATH_INFO: '/*SKRIPTNAME*.cgi'
+ PATH_TRANSLATED: '/home/sites/site4/web/*SKRIPTNAME*.cgi'
+
+Trying to extract user from PATH_INFO.
+Retrieved User Name: ''
+
+User Data Retrieved:
+ UserID: '*USERNAME*'
+ UID: '115'
+ GID: '100'
+ Group ID: 'site4'
+ Home Dir: '/home/sites/site4/users/*USERNAME*'
+
+This is a site
+site base dir: 'home/sites/'
+ site name: 'site4'
+ cgi dir: 'web'
+Script Base Directory: '/home/sites/site4/web'
+
+Trying to extract script from PATH_INFO
+ Script Relative Path: '*SCRIPTNAME*.cgi'
+ Script Absolute Path: '/home/sites/site4/web/*SCRIPTNAME*.cgi'
+
+UIDs/GIDs Changed To:
+ RUID: '115'
+ EUID: '115'
+ RGID: '100'
+ EGID: '100'
+
+Changing current directory to '/home/sites/site4/web'
+
+Output of script follows:
+=====================================================
+Content-type: text/html
+
+ (html-output)
But, do i have to consider that as a security concerning feature ?
One can easily find out a user`s name with his home path and UID,
without having to sniff anything. As the cobalt is exposed to the
internet day by day, having telnet enabled by default AND is designed to
host inexperienced users (-> weak passwords highly probable), every
script kid should be able to load up a simple `brute force` perl script
to a server offering free webspace, trying out the `well known`
passwords on the cobalt`s telnet port...
Would`nt it be better to disable this feature on the RaQs (at least by
default ?)
--
H. P. Ströbel
PGP Digital Fingerprint :
58E0 6ECB 620A A689 E206
BCA8 300F BC45 6EEC F7C3
Yes, I do. But not Yahoo.
--
H. P. Ströbel
PGP Digital Fingerprint :
58E0 6ECB 620A A689 E206
BCA8 300F BC45 6EEC F7C3
Yes, I do. But not Yahoo.