[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Cgi scripts allow browsing through virtual sites

Subject: Re: [cobalt-users] Cgi scripts allow browsing through virtual sites
From: "support" <support@xxxxxxxxxxxxxxxxxx>
Date: Mon May 7 23:39:04 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi,

The big problem here is to be sure your user will put the appropriate right
to their file. This is actually my concern. Now the Raq 4 -XTR support ASP
and PHP by default. All login information for database connection writed in
a page are usually hidded by the ASP or PHP engine before it show up in
browser, with this kind of script or even telnet/ssh people on your raq can
easily see and use the database of someone else without any problem.

Mysql is not to bad, you can set the from where the user will connect and
right of this user, only read should be the best but a database is used
especially when you want input from the outside world, so you will probably
have write right too..
Disabling telnet can greatly increase security too. If you take a look to
telnet, all user can read all other users files as same as a cgi-script or
any server side engine, asp,php,etc.
You can also send server file with email attachement (i never tried the
shadow pass list yet)
People using 777 as chmod can get some problem with that kind of security
hole.

One double edge blade is htaccess to have you VIP file protected, but here
again it is not the solution, by protecting files or directory with htaccess
you also protect them from Internet user, but this can be helpfull for admin
file or database related stuff. A problem is that htaccess is disabled on
raq now, and cobalt answered it was disabled for security reason, involving
new feature.

Here we have several raq3,raq4 and raq xtr and no one works perfectly and
from all the xtr are the worse.

Hope this will remove your fear.

Best Regards...
support@xxxxxxxxxxxxxxxxxx

----- Original Message -----
From: "Keith Davis" <cache@xxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, May 08, 2001 4:31 AM
Subject: Re: [cobalt-users] Cgi scripts allow browsing through virtual sites

> Kees Wakkerman wrote:
> >
> > A customer wants to set up a search script that browses through his
entire
> > (virtual) site on our RAQ4 for certain keywords. One of the parameters
in
> > the cgi script is the local server path for his site
> > (/home/sites/www.xyz.com/web). The script runs without error.
> > Now we change the server localpath parameter to /home/sites and... the
> > script is suddenly allowed to browse through all the other virtual sites
as
> > well. Same happens when changing the server localpath parameter to /.
How to
> > prevent cgi scripts to browse every directory on the RAQ4? How to
prevent
> > users to browse out of their virtual site context?
>
> Is that a problem? That's a search script. Add the http::client
> subroutines to it you could put it on a different server and point it to
> any of your domain's urls and it would still read all those files. It's
> a search engine, they do that.  It's reading only the same files within
> domains that Alta Vista's Scooter can read.
>
> But since it's on your server it can also read files outside the domains
> area, if you let it. But whether it's reading a file inside a domain or
> in the etc directory, it can still only read the files you've let it, in
> other words files with at least --- --- r-- permissions. If you give a
> file world read permissions then world can indeed read it. Any Perl or
> PHP script on the server should be able to read /etc/passwd because it
> has -rw-r--r-- permission. But only a script owned by root can read the
> /etc/shadow file because it has -rw------- permission.
>
> If you don't want it to be able to read a file don't blame the script,
> or change it, change permissions on the file. That is why your site
> owners need to be sure CGIWrap is on in their domain and then make sure
> their scripts and the files they write to are owned by the same user,
> and then give those files only 0600 permissions. Even the ServerAdmin
> cannot read those files, let alone a script from a different domain.
>
> I know, it feels insecure, kinda like going out in public without
> wearing shorts under your trousers, but it feels more insecure than it
> is....
>
> keith
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- Re: [cobalt-users] Cgi scripts allow browsing through virtual sites
  - From: Carrie Bartkowiak

References:
- [cobalt-users] Cgi scripts allow browsing through virtual sites
  - From: Kees Wakkerman
- Re: [cobalt-users] Cgi scripts allow browsing through virtual sites
  - From: Keith Davis

Prev by Date: [cobalt-users] Cobalt Cube email
Next by Date: RE: [cobalt-users] IE 6 Java Errors
Previous by thread: Re: [cobalt-users] Cgi scripts allow browsing through virtual sites
Next by thread: Re: [cobalt-users] Cgi scripts allow browsing through virtual sites

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index