[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: SSI Vuln on cobalt
- Subject: [cobalt-security] Re: SSI Vuln on cobalt
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Sun, 21 Apr 2002 18:56:20 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Once upon a time, Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx> said:
> SSI is not CGI, turn SSI off, its in the GUI site-settings
> Uncheck Enable Server Side Includes
And, as I've pointed out before, all of those cute little checkboxes are
useless. If I want to use SSI, all I have to do is put:
AddType text/html .shtml
AddHandler server-parsed .shtml
in an .htaccess file. For CGI, it is:
AddHandler cgi-wrapper .cgi
or (if you don't want your scripts to run under cgiwrap - that way
they'll run as the default web server user as well):
AddHandler cgi-script .cgi
If you turn off telnet, I can write a CGI to do what I want (if I want
to be fancy, I'll run X on my desktop, upload ssh and xterm if they
aren't installed, build a tunnel back to my desktop, and open an
terminal window).
IIRC, you can even load mod_perl handlers into the web server (which may
open up things such as the SSL private keys to all hosted sites - I
haven't tried it, but it should be possible since mod_perl runs in the
server space).
Face it, any user with a site on a RaQ can do pretty much whatever they
want and look at whatever they want.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.