[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] CGI email
- Subject: RE: [cobalt-users] CGI email
- From: "Clark E. Morgan" <prlhkr@xxxxxxxxxxxxx>
- Date: Wed May 9 20:58:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> The env_report field is not a bug, its's a FEATURE!!
I agree, this was the intent, and surely, not everything in the
disclosed information is hacker fodder. But make no mistake, the
less public the inner workings of your system are, no matter how
mundane, the more secure your system is. This is not a new concept.
> The env_report simply allows the owner of the script, or any other
> approved recipient, to email himself the value of an environment
> variable. It does NOT somehow magically allow the author of the socalled
> exploit, or anyone else, to email himself that value, or anything else.
I always appreciate the cool heads angle; but yes it does, when run
unaltered in a typical default environment; which is the way a lot of
people apt to use PD scripts will run it.
> In order to get an environment variable emailed to himself the perp
> would have to be able to fake the referrer and also be in the list of
> approved recipients, assuming the owner specifies a list of approved
> recipients (see earlier post).
Yeah, I posted that recipients code and have used it a lot with
much success. I also have a snippet that logs attempts to exploit
it if anyone's interested. You'd be amazed..... but the referrer
check is worthless as written since a url typed directly in passes
''; and if one is savvy enough to make use of a listing of environment
variables; manipulating the ones passed by the browser is trivial.
Clark Morgan