On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote:
> Peter Cords said:
>
> > [...]
> > Note that if you allow execution of arbitrary CGI programs, the CGI program
> >could do anything, including start a shell listening on a TCP port, or even
> >sshd, for someone to connect to. Allowing
On Fri, Feb 23, 2001 at 12:12:39PM -0500, Steve Rudd wrote:
> Peter Cords said:
>
> > [...]
> > Note that if you allow execution of arbitrary CGI programs, the CGI program
> >could do anything, including start a shell listening on a TCP port, or even
> >sshd, for someone to connect to. Allowing
Yes. Normal users ( such as the www-data user that will execute the
cgi script ) can open ports above 1024 and run whatever they want.
You could do neat tricks like giving each user their own apache
daemon and documentroot and everything, and using an apache or
squid proxy to let the outside get
Yes. Normal users ( such as the www-data user that will execute the
cgi script ) can open ports above 1024 and run whatever they want.
You could do neat tricks like giving each user their own apache
daemon and documentroot and everything, and using an apache or
squid proxy to let the outside get
This rather disturbs me, since I depend on sudo far too much..
- Forwarded message from Gossi The Dog <[EMAIL PROTECTED]> -
Delivered-To: [EMAIL PROTECTED]
Approved-By: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: bugtraq@securityfocus.com
Date: Fri, 23 Feb 2001
Peter Cords said:
If you allow execution of
CGI programs from public_html, then users will be able to execute code
(probably under their UID). Then you have to secure your machine against
local exploits. Obviously, you should do this anyway, but if crackers can
run arbitrary code (as a non-pri
On Fri, Feb 23, 2001 at 09:57:30AM -0500, Steve Rudd wrote:
> Hi! Steve Rudd with more "disconsolate mumbling" (great term )
>
> So if I did publish a user name and password (not that I would) that had
> pop 3 and ftp access with no shell access and was restricted to public html
> directories, i
On Thursday, February 22, 2001, 8:09:36 PM, andre wrote:
> I've used macs as servers for fairly large numbers of people working for a
> school district (k12 districts aren't into *nixes much yet, at least mine
> wasn't...). It ran webstar (httpd), eims (mail), quickdns pro, and
> netpresenz (ftpd).
This rather disturbs me, since I depend on sudo far too much..
- Forwarded message from Gossi The Dog <[EMAIL PROTECTED]> -
Delivered-To: [EMAIL PROTECTED]
Approved-By: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Date: Fri, 23 Feb 2001 00:53:
Hi! Steve Rudd with more "disconsolate mumbling" (great term )
So if I did publish a user name and password (not that I would) that had
pop 3 and ftp access with no shell access and was restricted to public html
directories, is that a risk to the rest of the system? A standard public
box has h
Peter Cords said:
>If you allow execution of
>CGI programs from public_html, then users will be able to execute code
>(probably under their UID). Then you have to secure your machine against
>local exploits. Obviously, you should do this anyway, but if crackers can
>run arbitrary code (as a non
On Fri, Feb 23, 2001 at 09:57:30AM -0500, Steve Rudd wrote:
> Hi! Steve Rudd with more "disconsolate mumbling" (great term )
>
> So if I did publish a user name and password (not that I would) that had
> pop 3 and ftp access with no shell access and was restricted to public html
> directories,
On Thu, Feb 22, 2001 at 10:50:57PM -0500, Bob Bernstein wrote:
>
> On Thu, 22 Feb 2001 13:43:55 -0500, Steve Rudd mumbled disconsolately:
>
> > Why I could even post them on my root page and taunt
> > hackers to try and break in with them! I could even offer a 1000 prize for
> > anyone who c
On Thursday, February 22, 2001, 8:09:36 PM, andre wrote:
> I've used macs as servers for fairly large numbers of people working for a
> school district (k12 districts aren't into *nixes much yet, at least mine
> wasn't...). It ran webstar (httpd), eims (mail), quickdns pro, and
> netpresenz (ftpd)
Hi! Steve Rudd with more "disconsolate mumbling" (great term )
So if I did publish a user name and password (not that I would) that had
pop 3 and ftp access with no shell access and was restricted to public html
directories, is that a risk to the rest of the system? A standard public
box has h
On Thu, Feb 22, 2001 at 10:50:57PM -0500, Bob Bernstein wrote:
>
> On Thu, 22 Feb 2001 13:43:55 -0500, Steve Rudd mumbled disconsolately:
>
> > Why I could even post them on my root page and taunt
> > hackers to try and break in with them! I could even offer a 1000 prize for
> > anyone who
16 matches
Mail list logo
