On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote: > Peter Cords said: > > > [...] > > Note that if you allow execution of arbitrary CGI programs, the CGI program > >could do anything, including start a shell listening on a TCP port, or even > >sshd, for someone to connect to. Allowing arbitrary CGI is equivalent to > >giving public shell access. > > I have several cgi-scripts on the site. One is a data base program open to > public searching of information. is any cgi- script at risk if is in the > cgi-bin?
No, that's not what I was talking about. The CGI scripts that you are running now were set up by you, and do good things, not bad things. If you give out usernames/passwords, then a cracker could install her own CGI script. The risk is in letting them install new CGI scripts, not anything to do with currently installed CGI scripts. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
