[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Security implications of a custom cgi script in the admin Gui

Subject: [cobalt-users] Security implications of a custom cgi script in the admin Gui
From: "Steve Bassi" <steve@xxxxxxxxx>
Date: Fri Apr 19 21:12:01 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I have added the scipt below to /usr/admserv/cgi-bin/.cobalt/admin.

This allows me to enter bash commands from a web interface.

I access the page from
https://www.domain.com:81/cgi-bin/.cobalt/admin/scriptname
so my admin password goes over ssl.

Would anyone be able to tell me any additional security implications this
could have?

And any suggestions to enhance the security of using what seems to be a
potentially dangerous script.

Thanks

Bassi


#!/usr/bin/perl
   print "Content-type: text/html\n\n";
   if ( $ENV{'CONTENT_LENGTH'} ) {
       read(STDIN,$_,$ENV{'CONTENT_LENGTH'});
       s/(.)*=//; s/\+/ /g; s/%(..)/pack("c",hex($1))/ge;
       $out=`$_ 2>&1`;
       print "\%: $_<PRE>$out</PRE>";
   }
   print "<FORM METHOD=POST>
          <INPUT TYPE=\"TEXT\" NAME=\"text\" SIZE=60 MAXLENGTH=100>
          <INPUT TYPE=\"SUBMIT\" VALUE=\"Ok\"></FORM>";

Follow-Ups:
- RE: [cobalt-users] Security implications of a custom cgi script in the admin Gui
  - From: Jonothon Ortiz \(Xnext, Inc\)

Prev by Date: [cobalt-users] Co-Lo Suggestions(OT)
Next by Date: Re: [cobalt-users] Raq 4: Spamassassin or equiv.
Previous by thread: SENT TO LIST IN ERROR. Re: [cobalt-users] Co-Lo Suggestions(OT)
Next by thread: RE: [cobalt-users] Security implications of a custom cgi script in the admin Gui

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index