[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Re: SSI Vuln on cobalt

Subject: Re: [cobalt-security] Re: SSI Vuln on cobalt
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Mon, 22 Apr 2002 09:12:40 -0700
Organization: nobaloney.net
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Chris Adams wrote:

> Once upon a time, Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx> said:
> > SSI is not CGI, turn SSI off, its in the GUI site-settings
> > Uncheck          Enable Server Side Includes
> 
> And, as I've pointed out before, all of those cute little checkboxes are
> useless.

I wouldn't call them "useless"; I'd call them an easy way for a RaQ
admin to turn features on and off for the great unwashed masses <grin>.

> If I want to use SSI, all I have to do is put:
> 
> AddType text/html .shtml
> AddHandler server-parsed .shtml
> 
> in an .htaccess file.  For CGI, it is:
> 
> AddHandler cgi-wrapper .cgi
> 
> or (if you don't want your scripts to run under cgiwrap - that way
> they'll run as the default web server user as well):
> 
> AddHandler cgi-script .cgi

Of course this could be a security hole for the RaQ...

> If you turn off telnet, I can write a CGI to do what I want (if I want
> to be fancy, I'll run X on my desktop, upload ssh and xterm if they
> aren't installed, build a tunnel back to my desktop, and open an
> terminal window).

Which is why most of us eventually learn to control where our clients
run CGI, and we grep directory listings often, looking at the CGIs our
clients are running.

> IIRC, you can even load mod_perl handlers into the web server (which may
> open up things such as the SSL private keys to all hosted sites - I
> haven't tried it, but it should be possible since mod_perl runs in the
> server space).

No different than any other linux-based hosting platform, really.

> Face it, any user with a site on a RaQ can do pretty much whatever they
> want and look at whatever they want.

This is all no different than under any other linux-based hosting
platform.  It's possible to tighten up the Cobalt defaults, just as it's
possible to tighten up generic linux-based hosting solutions.

For exmaple, if we create a root-owned .htaccess file, then site admins
can't easily install their own.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

Follow-Ups:
- Re: [cobalt-security] Re: SSI Vuln on cobalt
  - From: Bryan Housel
- [cobalt-security] Re: Re: SSI Vuln on cobalt
  - From: Chris Adams

References:
- [cobalt-security] SSI Vuln on cobalt
  - From: Brett Wright
- Re: [cobalt-security] SSI Vuln on cobalt
  - From: Gerald Waugh
- [cobalt-security] Re: SSI Vuln on cobalt
  - From: Chris Adams

Prev by Date: RE: [cobalt-security] RE: SSI Vuln on cobalt
Next by Date: Re: [cobalt-security] Re: SSI Vuln on cobalt
Previous by thread: Re: [cobalt-security] Re: SSI Vuln on cobalt
Next by thread: Re: [cobalt-security] Re: SSI Vuln on cobalt

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index