[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-developers] Re: running a perl cgi script as root on aRaQ3
- Subject: [cobalt-developers] Re: running a perl cgi script as root on aRaQ3
- From: cLive hoLLoway <cLive@xxxxxxxxxxxxxxxxxxx>
- Date: Mon Sep 4 23:01:20 2000
Jeff said
>> A technique that can be used here is for your CGI script to write a file
>> containing the submitted information. You then create a cron job as root
>> that runs say every minute and looks for this file, doing whatever it needs
>> and then erasing the file.
>
>Love it.
>
>All I've got to do to destroy the box is somehow get a file written that
>does a "rm -R /*"
>
>Sounds great <smile>.
Worked good for me though. Only a fool would make the cron *execute* the
data file! The cgi script now creates a data file, and the data file is run
from a cron job that checks the data is valid and implements it. The worst
that can happen is that a fake login/password combo is created on a demo
web site, so I don't see the problem ;)
rm -R /* wouldn't pass a
if (-e $file && ($file =~ m|/home/sites/.*/passwords.csv$/) )
of a
if ($user =~ /^\w+/)
So no problem. As long as you test what you are expecting with a good data
taint, and as long as *if* someone manages to get through, you *can* accept
the consequences (ie whoopie, they can play with our demo ;-) then yes,
it's a great solution.
less of that sarcy stuff mr jeff, please :)
later
cLive ;-)
cLive hoLLoway
E-commerce Developer
Now is the time to get trolleyed - www.get-trolleyed.co.uk
print pack "H56", '4a75737420616e6f7468657220636f72706f726174652077686f7265';