Re: [cobalt-users] OFFTOPIC: Faking CGI environment

[Mat Kovach <mkovach@xxxxxxxxxxxxxxxxx>]

On Mon, Mar 13, 2000 at 07:00:03PM +0100, manitu wrote:
: is it possible to call a cgi from telnet and do something so that this cgi
: "believes" to be called from the web ? I mean: Can I set the environment
: variables that this cgi would get if it would be called via the web (e.g.
: the variables REMOTE_USER, SCRIPT_NAME etc.) ?

I don't know, have you tried it?  I haven't look at the cobalt stuff, but 
that is not an easy task, if it is possible at all.
 
: If this is possible, I think some of the Cobalt administration cgis are very
: insecure. I just had a closer look into them. Most cgi scripts, e.g. the one
: for adding a virtual site, just check simple things, e.g. some hidden form
: values from the website they were called from. AND: These cgis scripts have
: the permissions 755 so anybody who is able to fake this cgi environment has
: almost full access to the server.

Okay...let see, a program is set as 755 and owned by root.  Therefore only
run can run it.  Somebody is on as root on you're box, they don't need 
to run the script.
 
: I hope that I do not tell something totally wrong, but for me some of the
: security concepts are not very hard to break. Perhaps someone of you can
: tell me that this is not right...

So you have broken the security then?  You have root'd a cobalt this way?

-- 
Mat Kovach                                      mkovach@xxxxxxxxxxxxxxxxx
Cleveland Linux User Group                       http://cleveland.lug.net