RE: [cgiwrap-users] OpenSRS 2.41 + CGIWrap
Brought to you by:
nneul
From: Neulinger, N. <nn...@um...> - 2001-08-08 14:13:16
|
CGIwrap, and any wrapper for that matter, is basically following the following logic at it's core: A. Am I running as the web server userid? B. If so, figure out who to run desired script as, and switch to their userid and run it. The presumption is that no one should have access to the server userid. Since you're letting someone run as the server id, it could pass ANY data to cgiwrap, bypassing any authorization checks, and also contaminating the environment, path, etc. If a script is written 100% securely, then this might not be too bad, but let's just say it's safe to say that it's not a good idea. It's not insecure by itself, it's just opens up lots of other potential holes. -- Nathan > -----Original Message----- > From: Ralph Huntington [mailto:rj...@mo...] > Sent: Wednesday, August 08, 2001 8:44 AM > To: Neulinger, Nathan > Cc: Adrian Parker; cgi...@li... > Subject: RE: [cgiwrap-users] OpenSRS 2.41 + CGIWrap > > > Well, frankly, no, I didn't realize that. Could you explain > to us, please, > how that condition obtains? > > i.e., How is running a script as the server uid when cgiwrap > is present > different than running a script as the server uid when cgiwrap is not > present? > > And, does it make any difference if the cgiwrap dir is > outside the html > tree? > > Thank you, Ralph > > On Wed, 8 Aug 2001, Neulinger, Nathan wrote: > > > Y'all do realize of course that if you are allowing people > to run scripts as > > the server userid, you are opening up an ENORMOUS GAPING > SECURITY HOLE on > > your server if you are also using cgiwrap or suexec. > > > > -- Nathan > > > > > -----Original Message----- > > > From: Ralph Huntington [mailto:rj...@mo...] > > > Sent: Tuesday, August 07, 2001 3:45 PM > > > To: Adrian Parker > > > Cc: cgi...@li... > > > Subject: Re: [cgiwrap-users] OpenSRS 2.41 + CGIWrap > > > > > > > > > > How do we turn CGIWrap off by directories? I though in > > > httpd.conf we > > > > might be able to remove "AddHandler cgi-wrapper .pl" > and "AddHandler > > > > cgi-wrapper .cgi" from <VirtualHost *>, but that doesn't seem to > > > > change anything. > > > > > > We solve this for the occasional scripts that give > problems (AutoCart > > > comes to mind). We do not use the AddHandler, but rather > configure two > > > ScriptAlias'd dirs for each domain. The user can choose where > > > to put the > > > script to have it wrapped or not. > > > > > > The wrapped dir is named 'cgiwrap' and is in the home dir. > > > The unwrapped > > > (cgi-bin) dir is in htdocs. > > > > > > Hope this is useful to you or someone. - Ralph > > > > > > > > > _______________________________________________ > > > cgiwrap-users mailing list > > > cgi...@li... > > > http://lists.sourceforge.net/lists/listinfo/cgiwrap-users > > > > > > > _______________________________________________ > > cgiwrap-users mailing list > > cgi...@li... > > http://lists.sourceforge.net/lists/listinfo/cgiwrap-users > > > |