RE: [cgiwrap-users] a potential security problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2002-05-28 at 21:26, Jiang, Hai Dong (Harry) wrote:
> Nathan:
>    Thank you very much for your prompt response!
> 
> I notice a line in cgiwrap.c:
> 
> ChangeID(user);
> 
> So I think the cgiwrap should be owned by root , is it right?
> That is , cgiwrap should by setuid by root (4755 mod and owner is root) ?
> 
> For example, the web server owner is harry.
> 1.  he setup a web user in conf/.htpasswd called root.
> 2. And he put malicious program on cgi-bin/ call rmallfiles.pl
> 3. he access web as root 
> 4. URL is http://*.*.*.*:8080/cgiwrap/cgi-bin/rmallfiles.pl
> 
> It is exemple for potential security.

users in .htpasswd have nothing to do with unix userids that processes
run under. 

> harry
> 
> -----Original Message-----
> From: Nathan Neulinger [mailto:nn...@um...]
> Sent: 2002?5?29? 9:50
> To: Jiang, Hai Dong (Harry)
> Cc: cgi...@li...
> Subject: Re: [cgiwrap-users] a potential security problem
> 
> Unless you configured cgiwrap to allow executing scripts as root, this
> is not the case.
> 
> Even still - it doesn't do you any good, since you'd still have to have
> root or specific-user permissions to install scripts into the users cgi
> directories.
> 
> Please be more specific if this doesn't answer your question.
> 
> -- Nathan
> 
> On Tue, 2002-05-28 at 20:44, Jiang, Hai Dong (Harry) wrote:
> > All,
> >       I wonder if cgiwrap have security problem??
> > If web server owner's password is  known by malicious guys, he can setup a
> > user call root and put some malicous program on web server , then he can
> > access and execute these program as root from web .  because cgiwrap does
> > not check the unix password for web user .
> > Is it a potential security problem?
> >
> > harry
> >
> >
> > _______________________________________________________________
> >
> > Don't miss the 2002 Sprint PCS Application Developer's Conference
> > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> >
> > _______________________________________________
> > cgiwrap-users mailing list
> > cgi...@li...
> > https://lists.sourceforge.net/lists/listinfo/cgiwrap-users
> --
> 
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nn...@um...
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216
-- 

------------------------------------------------------------
Nathan Neulinger                       EMail:  nn...@um...
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216