[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] All folders visable on whole server

Subject: Re: [cobalt-users] All folders visable on whole server
From: "WebWorkshop" <webmaster@xxxxxxxxxxxxxxx>
Date: Fri Dec 8 13:59:03 2000
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

There shouldn't be a big hoopla is over this particular script ("...the most
dangerous CGI script I have ever seen!!!")--anyone with a passing knowledge
of Perl or PHP can browse anything on your server. Here's a little PHP
script which I threw together in about two minutes that will print out the
contents of your /etc folder, then print out your passwd file for good
measure. Run this from any virtual host that has PHP enabled:

<?php
 $my_dir=opendir("/etc");
  while ($file=readdir($my_dir)) {
   print "$file<br>";
  }
 closedir($my_dir);
 print "<p><b>Here's your passwd file:</b><br>";
 include ("/etc/passwd");
?>

Besides disabling server-side scripting languages for all accounts on the
server, does anyone know a setting in Apache that will prevent a script like
this from being run (or better yet, allowing it to run but limiting the
access to the script owner's web directory)? Using a script like this you
can browse any directory (even if it's password protected with .htaccess)
and view any file on the server.

~ Chris Calabrese
WebWorkshop Webmaster
http://www.webworkshop.org

----- Original Message -----
From: "Franklin S. Werren" <fswerren@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Friday, December 08, 2000 11:15 AM
Subject: Re: [cobalt-users] All folders visable on whole server


> Hi All;
>
> After testing this tool,
> I am surprised at how easy it was to install and how easy
> it was to use.... And this tool is the most dangerous
> cgi script I have ever seen!!!
> I thought Commander was dangerous to a webserver....
> but because this has an easy GUI it makes it a tool
> crackers would love....
>
> I tried it on my Cube 2 and after I tested it, I deleted it......
> I think that admins should not allow any cgi until
> patches are made or keep an eye on what your
> customers use for cgi......
>
> In most cases Domain owners will not hack a server,
> They do not want to loose their access....
> Server owners should be aware of this new tool....
> If you are an ISP and you use any Linux box
> maybe you should be careful if you allow cgi
> scripting for your customers free web area....

Follow-Ups:
- Re: [cobalt-users] All folders visable on whole server
  - From: Michael D. Schleif
- Re: [cobalt-users] All folders visable on whole server
  - From: Brian Curtis
- Re: [cobalt-users] All folders visable on whole server
  - From: Brian Curtis

References:
- [cobalt-users] All folders visable on whole server
  - From: Stephan P. Muecke
- Re: [cobalt-users] All folders visable on whole server
  - From: Franklin S. Werren

Prev by Date: Re: [cobalt-users] Slow FTP Access
Next by Date: RE: [cobalt-users] All folders visable on whole server
Previous by thread: Re: [cobalt-users] All folders visable on whole server
Next by thread: Re: [cobalt-users] All folders visable on whole server

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index