[cobalt-security] Re: SSI Vuln on cobalt

[Chris Adams <cmadams@xxxxxxxxxx>]

Once upon a time, Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx> said:
> SSI is not CGI, turn SSI off, its in the GUI site-settings
> Uncheck          Enable Server Side Includes

And, as I've pointed out before, all of those cute little checkboxes are
useless.  If I want to use SSI, all I have to do is put:

AddType text/html .shtml
AddHandler server-parsed .shtml

in an .htaccess file.  For CGI, it is:

AddHandler cgi-wrapper .cgi

or (if you don't want your scripts to run under cgiwrap - that way
they'll run as the default web server user as well):

AddHandler cgi-script .cgi

If you turn off telnet, I can write a CGI to do what I want (if I want
to be fancy, I'll run X on my desktop, upload ssh and xterm if they
aren't installed, build a tunnel back to my desktop, and open an
terminal window).

IIRC, you can even load mod_perl handlers into the web server (which may
open up things such as the SSL private keys to all hosted sites - I
haven't tried it, but it should be possible since mod_perl runs in the
server space).

Face it, any user with a site on a RaQ can do pretty much whatever they
want and look at whatever they want.
-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.