home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
Hacking
/
Windos NT CGI security Hole.sit
/
Windos NT CGI security Hole
next >
Wrap
Text File
|
1997-01-21
|
2KB
|
62 lines
http - CGI Configuration
Service
http
Problem
Making a copy of a general purpose programming language available in a CGI directory is a serious
mistake.
Impact
Internet users can have arbitrary commands executed on the machine by the owner of the http
daemon.
Timeliness
Widely known.
Recommendation
Take care with respect to what programs you make available in the CGI director(ies) of your
server, and, in particular, do not make powerful general purpose programming languages available
to arbitrary remote users.
Description
The necessity of careful scrutiny of the contents of a servers cgi directory is very well known.
However, it still seems to be a common error. In particular, it seems relatively common for NT
sites to have a copy of perl in their cgi-bin directory. This allows people to pass their own perl
programs as urls to the server to be executed;
http://your.machine/cgi-bin/perl?-e+print%20q@Content%2dType%3a%20text%2fplain%0a%0aHello,%20World!%0a@
http://your.machine/scripts/perl.exe?-e+print%20q@Content%2dType%3a%20text%2fplain%0a%0aHello,%20World!%0a@
are two harmless example.
20th February 1996 - Lincoln Stein has recently pointed out that because the Netscape NT server
does not use the NT File Manager's associations between file extensions and applications, even
though files with the .pl (or other) extension are associated with the perl interpreter, they are not
recognised as such when in the cgi-bin directory. This, combined with the DOS CGI problem makes
CGI programming difficult with the current version of the NT Netscape servers. His suggestion is to
switch to a NT server that uses the File Manager extension associations.
Orignial Description 4th January 1996
Update 20th February 1996
Last Modified 21 July 1996
Netcraft | SSL Server Survey | Web Server Survey | Client List
Copyright © Netcraft 1995-1997