[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SSI Vuln on cobalt

Subject: Re: [cobalt-security] SSI Vuln on cobalt
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 21 Apr 2002 18:24:17 -0400
Organization: Front Street Networks LLC
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Sunday 21 April 2002 05:06 pm, Brett Wright wrote:
> >Hi list
> >
> >
> >SSI pages run as the web user... so if I made a page "iseethis.shtml" with
> >the source:
> >
> >html>
> >body>
> >!--#exec cmd="for i in $(locate service.pwd);do echo $i;cat $i;done" -->
> >  /body>
> >/html>
> >
> >I would get a list of all the frontpage hashes on the server. This is bad.
> >What is the best fix for this to allow CGI to excute but not cmd
>

SSI is not CGI, turn SSI off, its in the GUI site-settings
Uncheck          Enable Server Side Includes

-- 
Gerald Waugh : Registered Linux user # 255245
http://www.frontstreetnetworks.com
Front Street Networks LLC - ph. 203.785.0699
229 Front Street, Ste. #C, New Haven, CT, United States of America
6:21pm up 31 days, 1:48, 3 users, load average: 1.43, 1.53, 1.48

Follow-Ups:
- [cobalt-security] Re: SSI Vuln on cobalt
  - From: Chris Adams

References:
- [cobalt-security] SSI Vuln on cobalt
  - From: Brett Wright

Prev by Date: [cobalt-security] SSI Vuln on cobalt
Next by Date: [cobalt-security] Re: SSI Vuln on cobalt
Previous by thread: [cobalt-security] SSI Vuln on cobalt
Next by thread: [cobalt-security] Re: SSI Vuln on cobalt

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index