Re: Security risks with CGI

• To: www-security@ns2.rutgers.edu
• Subject: Re: Security risks with CGI
• From: Daniel Smith <dls@best.com>
• Date: Fri, 03 Mar 1995 18:35:34 -0800

	wrt to CGI and s-s-includes, I haven't seen one mention about
the ability to (at least with NCSA) include a file that's a FIFO
(named pipe)...yep, it's like an suid, because you run as the person
who started the process on the pipe.  You don't get the env vars you'd
get from a cmd or cgi exec though, and you can't pass args.  I
discovered this a few weeks ago, posted about it, and it sank without
a trace (not sure how many know what a named pipe is over in
c.i.w.providers).

	Any comments as to the relative safety of s-s-include of a FIFO
versus a s-s-exec of a script?

				Daniel

    Daniel L Smith                Snapper's Mate, Sophia's Dad, Hoopy Frood
    dls@best.com   http://www.best.com/~dls  P.O. 613, Sausalito, CA, 94966
 "It's as if the Library of Congress had exploded in midair" - dbrooks@ics.com

• Previous: CONFERENCE: Portuguese 1st WWW Conference
• Next: Re: Security risks with CGI
• Index(es):
  • Index
  • Thread