[8546] in bugtraq
Re: SCO World Script Vulnerabilities
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sat Nov 14 14:38:56 1998
Date: Fri, 13 Nov 1998 18:42:27 +0000
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Joe <joe@GONZO.BLARG.NET>
To: BUGTRAQ@NETSPACE.ORG
Joe wrote:
> Since the CGI is being accessed by the system administrator, your remark
> about the "user" being able to plug in any host name is plain silly. If
> they've got access to the CGI you're ALREADY compromised. Besides, from
> the shell I've got MORE than enough rope to hang myself. If I'm trying to
> administer a remote machine over the web I want that same length of rope.
I can find nothing in the article suggesting that access to the CGI
should be restricted, let alone saying how you might do that.
Regardless, it is so easy to secure the scripts properly, there is no
excuse for not doing it, no matter how secure you think the rest of the
setup is.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
