[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] OFFTOPIC: Faking CGI environment

Subject: [cobalt-users] OFFTOPIC: Faking CGI environment
From: "manitu" <manitu@xxxxxxxxxx>
Date: Mon Mar 13 10:22:19 2000

Hello all,

is it possible to call a cgi from telnet and do something so that this cgi
"believes" to be called from the web ? I mean: Can I set the environment
variables that this cgi would get if it would be called via the web (e.g.
the variables REMOTE_USER, SCRIPT_NAME etc.) ?

If this is possible, I think some of the Cobalt administration cgis are very
insecure. I just had a closer look into them. Most cgi scripts, e.g. the one
for adding a virtual site, just check simple things, e.g. some hidden form
values from the website they were called from. AND: These cgis scripts have
the permissions 755 so anybody who is able to fake this cgi environment has
almost full access to the server.

I hope that I do not tell something totally wrong, but for me some of the
security concepts are not very hard to break. Perhaps someone of you can
tell me that this is not right...

Manuel

Follow-Ups:
- Re: [cobalt-users] OFFTOPIC: Faking CGI environment
  - From: Mat Kovach

Prev by Date: [cobalt-users] Re: changing IP
Next by Date: RE: [cobalt-users] Unable to view directory tree in FTP
Previous by thread: [cobalt-users] Re: changing IP
Next by thread: Re: [cobalt-users] OFFTOPIC: Faking CGI environment

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index