[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] All folders visable on whole server

Subject: RE: [cobalt-users] All folders visable on whole server
From: "Curtis Ross" <Curtis_Ross@xxxxxx>
Date: Fri Dec 8 14:20:02 2000
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Browsing a server is one thing but when Joe User can upload this and in
seconds start chmod'ing and deleting files, that worries most people.

/c


>  -----Original Message-----
> From: 	webmaster@xxxxxxxxxxxxxxx@CPR
[mailto:IMCEANOTES-webmaster+40webworkshop+2Eorg+40CPR@xxxxxx] 
> Sent:	Friday, December 08, 2000 2:39 PM
> To:	cobalt-users@xxxxxxxxxxxxxxx
> Subject:	Re: [cobalt-users] All folders visable on whole server
> 
>  
> There shouldn't be a big hoopla is over this particular script
("...the most
> dangerous CGI script I have ever seen!!!")--anyone with a passing
knowledge
> of Perl or PHP can browse anything on your server. Here's a little PHP
> script which I threw together in about two minutes that will print out
the
> contents of your /etc folder, then print out your passwd file for good
> measure. Run this from any virtual host that has PHP enabled:
> 
> <?php
>  $my_dir=opendir("/etc");
>   while ($file=readdir($my_dir)) {
>    print "$file<br>";
>   }
>  closedir($my_dir);
>  print "<p><b>Here's your passwd file:</b><br>";
>  include ("/etc/passwd");
> ?>
> 
> Besides disabling server-side scripting languages for all accounts on
the
> server, does anyone know a setting in Apache that will prevent a
script like
> this from being run (or better yet, allowing it to run but limiting
the
> access to the script owner's web directory)? Using a script like this
you
> can browse any directory (even if it's password protected with
.htaccess)
> and view any file on the server.
> 
> ~ Chris Calabrese
> WebWorkshop Webmaster
> http://www.webworkshop.org
> 
> ----- Original Message -----
> From: "Franklin S. Werren" <fswerren@xxxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Friday, December 08, 2000 11:15 AM
> Subject: Re: [cobalt-users] All folders visable on whole server
> 
> 
> > Hi All;
> >
> > After testing this tool,
> > I am surprised at how easy it was to install and how easy
> > it was to use.... And this tool is the most dangerous
> > cgi script I have ever seen!!!
> > I thought Commander was dangerous to a webserver....
> > but because this has an easy GUI it makes it a tool
> > crackers would love....
> >
> > I tried it on my Cube 2 and after I tested it, I deleted it......
> > I think that admins should not allow any cgi until
> > patches are made or keep an eye on what your
> > customers use for cgi......
> >
> > In most cases Domain owners will not hack a server,
> > They do not want to loose their access....
> > Server owners should be aware of this new tool....
> > If you are an ISP and you use any Linux box
> > maybe you should be careful if you allow cgi
> > scripting for your customers free web area....
> 
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users

Prev by Date: Re: [cobalt-users] [RaQ3]gethostbyaddr failed
Next by Date: Re: [cobalt-users] Uninstalling Cobalt SSL on Raq2
Previous by thread: RE: [cobalt-users] All folders visable on whole server
Next by thread: Re: [cobalt-users] All folders visable on whole server

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index