[672] in WWW Security List Archive
Re: NCSA httpd: patch for CGI insecurity
daemon@ATHENA.MIT.EDU (Dave Kristol)
Fri May 5 13:43:16 1995
Date: Fri, 5 May 95 09:35:08 EDT
From: dmk@allegra.att.com (Dave Kristol)
To: paulp@cerf.net
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Paul Phillips <paulp@cerf.net> said:
> On Thu, 4 May 1995, Paul Phillips wrote:
>
> > It was pointed out that fchdir could conceivably be used to escape a
> > chrooted area. I also really don't like the idea that a CGI can log an
> > arbitrary amount of false information. Trashing the log files at least
> > informs the web admin that something is up, but information warfare can
> > be more dangerous than information vandalism.
>
> Sorry to quote myself, but this is quite more serious than I had
> originally painted it. I know of some commercial web space providers
> that charge by the byte for bandwidth used. If I have an account and CGI
> access on the same server that someone else does, what is to stop me from
> logging lots of entries for someone else on the server, greatly
> increasing their tab? Nothing. In fact, with a single CGI I could fork
> another process that sits around in the background and logs accesses to
> my enemies every minute or so.
[...]
We know running arbitrary CGIs is risky. Web providers should be
vetting CGIs before installing them, to reduce the chances of malicious
behavior. IMO, the error log should be left open, as a place for CGIs
to collect stuff written to standard error. It's unlikely that a web
provider is billing based on stuff in the error log.
Dave Kristol
