[507] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Daniel Smith)
Sat Mar 4 02:56:22 1995
To: www-security@ns2.rutgers.edu
Date: Fri, 03 Mar 1995 18:35:34 -0800
From: Daniel Smith <dls@best.com>
Errors-To: owner-www-security@ns2.rutgers.edu
wrt to CGI and s-s-includes, I haven't seen one mention about
the ability to (at least with NCSA) include a file that's a FIFO
(named pipe)...yep, it's like an suid, because you run as the person
who started the process on the pipe. You don't get the env vars you'd
get from a cmd or cgi exec though, and you can't pass args. I
discovered this a few weeks ago, posted about it, and it sank without
a trace (not sure how many know what a named pipe is over in
c.i.w.providers).
Any comments as to the relative safety of s-s-include of a FIFO
versus a s-s-exec of a script?
Daniel
Daniel L Smith Snapper's Mate, Sophia's Dad, Hoopy Frood
dls@best.com http://www.best.com/~dls P.O. 613, Sausalito, CA, 94966
"It's as if the Library of Congress had exploded in midair" - dbrooks@ics.com
