Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Journal of IlyaM (2933)

Friday August 29, 2003
08:01 AM

False Security

[ #14387 ]
What I don't get is why many ISPs don't allow ssh access to their boxes while at same time they allow you to run your own cgi scripts. If you can run arbitrary CGI then you can run arbitrary code on the server even without shell.

On similar note why SourceForge disallow SSH access to their CVS servers when they allow you to modify files in CVSROOT? If I can add commit and loginfo scripts there I can run arbitrary code on the server too.

For sysamins: better not waste your time on false security measures especially when it makes life of legimate users harder.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • is the ISPs that don't allow any login access, but not only allow arbitrary CGI programs to execute but also have X installed, so full access is a quick "xterm -d yourhost" away... :(