[Previous] [Next] [Index]
[Thread]
Re: Security risks with CGI
wrt to CGI and s-s-includes, I haven't seen one mention about
the ability to (at least with NCSA) include a file that's a FIFO
(named pipe)...yep, it's like an suid, because you run as the person
who started the process on the pipe. You don't get the env vars you'd
get from a cmd or cgi exec though, and you can't pass args. I
discovered this a few weeks ago, posted about it, and it sank without
a trace (not sure how many know what a named pipe is over in
c.i.w.providers).
Any comments as to the relative safety of s-s-include of a FIFO
versus a s-s-exec of a script?
Daniel
Daniel L Smith Snapper's Mate, Sophia's Dad, Hoopy Frood
dls@best.com http://www.best.com/~dls P.O. 613, Sausalito, CA, 94966
"It's as if the Library of Congress had exploded in midair" - dbrooks@ics.com