[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Security implications of a custom cgi script in the admin Gui
- Subject: RE: [cobalt-users] Security implications of a custom cgi script in the admin Gui
- From: "Jonothon Ortiz \(Xnext, Inc\)" <jon@xxxxxxxxx>
- Date: Fri Apr 19 22:00:59 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
use GET instead of post.
generally, however, i'd say it was a bad idea to implement this remotely.
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Steve Bassi
Sent: Saturday, April 20, 2002 00:11
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] Security implications of a custom cgi script in
the admin Gui
I have added the scipt below to /usr/admserv/cgi-bin/.cobalt/admin.
This allows me to enter bash commands from a web interface.
I access the page from
https://www.domain.com:81/cgi-bin/.cobalt/admin/scriptname
so my admin password goes over ssl.
Would anyone be able to tell me any additional security implications this
could have?
And any suggestions to enhance the security of using what seems to be a
potentially dangerous script.
Thanks
Bassi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
if ( $ENV{'CONTENT_LENGTH'} ) {
read(STDIN,$_,$ENV{'CONTENT_LENGTH'});
s/(.)*=//; s/\+/ /g; s/%(..)/pack("c",hex($1))/ge;
$out=`$_ 2>&1`;
print "\%: $_<PRE>$out</PRE>";
}
print "<FORM METHOD=POST>
<INPUT TYPE=\"TEXT\" NAME=\"text\" SIZE=60 MAXLENGTH=100>
<INPUT TYPE=\"SUBMIT\" VALUE=\"Ok\"></FORM>";
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users