World: r3wp
[CGI] web server issues
| older newer | first last |
| Pekr 5-Dec-2005 [342x2] | what permission shouls scripts have, 755 or 775? |
maybe I use 775 and it it not needed it to have it so high? | |
| Graham 5-Dec-2005 [344x2] | doesn't need to be able to be read |
I mean group or world write | |
| Volker 5-Dec-2005 [346x3] | 1) should be secure. decode-cgi should put only strings in the data, nothing executable. (i use a lot "should" when it comes to security and i did not double-check). But why do you do that? simply mold decode-cgi should give the same. |
correction, that response was for 2) | |
1) trap errors. Big if not attempt[ your code here][ print [header "You triggered some error" footer] | |
| Pekr 5-Dec-2005 [349x3] | ad 2) preparation for table output ... simple mold was quick option ... I just wanted to know ... |
thanks for 1), I thought so, but did not thought it could be so easy :-) | |
what about 3)? Graham said that FTP client should allow me to set permission, but I can't find any option to do it in FTP Total Commander provides ... | |
| Volker 5-Dec-2005 [352x3] | 3) I would not put rebol in cgi-bin. If it is there, one can call the rebol-exe from the outside, without it doing a string. Never tried that, but it may think post-data is console-input. rights should be 755, only you can modify, but everyone can read it. the server may call it as "somebody else", and so it must be readable for that "user" |
2) decode-cgi builds the data itself AFAIK. does not use load. so all data should be strings. i am not sure about words, i guess they are bound. when you only fetch the words and turn them immediate in a string, that should be ok. the usual way is construct decode-cgi that result is save, because all words are bound to that context. | |
3) a good client can do that. so i guess yours has an option somewhere. | |
| Pekr 5-Dec-2005 [355x2] | well, but as for 3) if I only edit my script, overwrite it, the permission (after copying it back to ftp) will be preserved. But if I add script, it has insufficient permission once again ... |
ok, will look around in Total Commander ... | |
| Graham 5-Dec-2005 [357] | Volker, people say it should not go in cgi-bin .. I have yet to see an exploit for this. |
| Volker 5-Dec-2005 [358] | i am curious. what is your url? |
| Graham 5-Dec-2005 [359] | If you call it .. so what? You can't feed it parameters. |
| Pekr 5-Dec-2005 [360] | Ah, found it! Nice, it is in the first menu "Change attributes" .... |
| Volker 5-Dec-2005 [361] | if i post something, that goes to "console". I do not know how rebol handles that. Hopefully it is smart enough to do nothing. |
| Pekr 5-Dec-2005 [362] | Volker: http://www.cod-okna.cz/cgi-bin/rebol |
| Volker 5-Dec-2005 [363] | i try that post-thing. hope graham is right. |
| Graham 5-Dec-2005 [364] | thinking about it .. you would have to have a script in the cgi-bin directory that the remote user could exploit. |
| Volker 5-Dec-2005 [365] | when you start rebol without script, it takes commands from console.. at least with from a real console.. |
| Graham 5-Dec-2005 [366] | Hmm. So, the remote user could start up multiple consoles? |
| Volker 5-Dec-2005 [367] | if that works. never really tried. |
| Pekr 5-Dec-2005 [368x2] | can user go outside his cgi-bin directory, if he copies there script, with -cs option? |
but console ends imo, no? | |
| Volker 5-Dec-2005 [370] | with the -s yes. |
| Graham 5-Dec-2005 [371] | What if the remote user calls rebol with a url as a parameter... ? |
| Pekr 5-Dec-2005 [372x3] | uh ... |
but how you give it a parameter? do you make it part of url? But apache will fail, no? | |
take my above url as an example | |
| Graham 5-Dec-2005 [375] | well, rebol will take a url as a command line parameter |
| Volker 5-Dec-2005 [376] | I think url are passed in another way. in read-cgi is "system/options/cgi/query-string" |
| Graham 5-Dec-2005 [377] | http://www.cod-okna.cz/cgi-bin/rebolhttp://www.compkarori.com/test.r The requested URL /cgi-bin/rebol http://www.compkarori.com/test.r was not found on this server. Apache/2.0.50 (Fedora) Server at www.cod-okna.cz Port 80 |
| Volker 5-Dec-2005 [378x2] | the basics should be something like this. but does not work. |
probe read/custom http://www.cod-okna.cz/cgi-bin/rebol[ post {print "content-type: text/plain^/^/oho^/"} ] | |
| Graham 5-Dec-2005 [380] | well, I still think it's safe :) |
| Volker 5-Dec-2005 [381x3] | another try, Pekr does not find a new file. |
probe read/custom http://www.cod-okna.cz/cgi-bin/rebolprobe [ post {write %exploited.txt "Ooops" print "content-type: text/plain^/^/oho^/"} ] | |
-> i hope does not find. | |
| Pekr 5-Dec-2005 [384] | no new rebols in ps - aux output yet :-) |
| Volker 5-Dec-2005 [385] | No, that should only run, make a file in rebols dir and quit. Hmm, in the current dir, where is that? |
| Pekr 5-Dec-2005 [386] | no files in-there .... |
| Volker 5-Dec-2005 [387] | then Graham is right i think. although i would not do it :) |
| Pekr 5-Dec-2005 [388x2] | well, but it is good option to simply make nearly whatever provider a rebol hoster :-) |
I think that it is legitimate aproach though. IIRC, my first article I read in some 1996 regarding cgi, was stating something like - put your C app into cgi-bin directory. Back then the author was describing that cgi is simply common gateway interface, and that your executable app should be put in cgi-bin directory. And rebol is C app :-) | |
| Sunanda 5-Dec-2005 [390] | Petr: <<I mean - above block in 'join statement is reduced - is it secure?>> That should be okay. You could just do a construct/with to create an object. If you are intending to create an object, then pre-process the block from decode-cgi to ensure that the word "self" is not used as a keyword (tip courtesy of Chris RG, if I remember rightly). |
| Volker 5-Dec-2005 [391] | Not sure. Maybe he means main app? |
| older newer | first last |