Re: [cobalt-developers] FWD from Cobalt-Users

[Michael Stauber <devel@xxxxxxxxxxxxxx>]

Hi Jon,

> We never got an answer from Cobalt on this one, except "interesting".
> Running this script http://www.rohitab.com/cgiscripts/cgitelnet.html  on a
> virtual site, you can walk all the way up the directory to root.  View
> files that you should not see, even if telnet is turned off on the Raq.

The easiest way? Don't allow usage of PERL, PHP, Python and ASP or any form of 
server side scripting. That's sad but true.

PERL is a mighty application and in the wrong hands it can be abused. The 
CGIwrapper that Sun Cobalt uses on the RaQs to lessen the powers which Perl 
offers to regular uses is a good approach, but it still leaves room for 
imaginative users to do things you'll not like. 

For PHP there are also scripts like this available and I wouldn't wonder if 
there are ones for ASP, too.

With a properly configured PHP ("safe mode" enabled and other tweaks) you can 
lock down the permissions and what kind of commands or functions are 
available to users.

You can also restrict the user executed scripts to a certain path (like 
/home/sites/) and dissalow going further up in the directory tree. Just put 
the following code in /etc/httpd/conf/access.conf and then restart Apache:

# PHP directory restriction
php_admin_value open_basedir /home/sites

The German c't computer magazine recently conducted a test and many large 
webhosters were vulnerable to information disclosure to such a kind of 
scripts (either PHP or Perl).

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer