Stories
Slash Boxes
Comments

NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

use Perl

All the Perl that's Practical to Extract and Report

use Perl Log In

[ Create a new account ]

IlyaM (2933)

IlyaM
ilya@martynov.org
http://martynov.org/

Journal of IlyaM (2933)

Friday August 29, 2003

08:01 AM

False Security

[ #14387 ]

What I don't get is why many ISPs don't allow ssh access to their boxes while at same time they allow you to run your own cgi scripts. If you can run arbitrary CGI then you can run arbitrary code on the server even without shell.

On similar note why SourceForge disallow SSH access to their CVS servers when they allow you to modify files in CVSROOT? If I can add commit and loginfo scripts there I can run arbitrary code on the server too.

For sysamins: better not waste your time on false security measures especially when it makes life of legimate users harder.

List all Journal entries

False Security More | Login | Reply

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Without JavaScript enabled, you might want to use the classic discussion system instead. If you login, you can remember this preference.

What you really have to love (Score:2, Insightful)

by Elian (119)

is the ISPs that don't allow any login access, but not only allow arbitrary CGI programs to execute but also have X installed, so full access is a quick "xterm -d yourhost" away... :(

Get More Comments

Reply

use Perl

All the Perl that's Practical to Extract and Report

Navigation

use Perl Log In

IlyaM (2933)

Journal of IlyaM (2933)

False Security

False Security 1 Comment More | Login | Reply /

Please Log In to Continue

What you really have to love (Score:2, Insightful)