AltME groups homeHelpJoin REBOL3 world
  Find AltME posts   Help

Recent posts

Worlds:r4wpr3wp
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
5-May 21:23 UTC
[0.056] 17.304k
r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

Join the discussions in the REBOL3 world...

[CGI] web server issues

older
newer		first
last
Volker
5-Dec-2005
[370]
with the -s yes.
Graham
5-Dec-2005
[371]
What if the remote user calls rebol with a url as a parameter... 
?
Pekr
5-Dec-2005
[372x3]
uh ...

but how you give it a parameter? do you make it part of url? But 
apache will fail, no?

take my above url as an example
Graham
5-Dec-2005
[375]
well, rebol will take a url as a command line parameter
Volker
5-Dec-2005
[376]
I think url are passed in another way. in read-cgi is "system/options/cgi/query-string"
Graham
5-Dec-2005
[377]
http://www.cod-okna.cz/cgi-bin/rebolhttp://www.compkarori.com/test.r


The requested URL /cgi-bin/rebol http://www.compkarori.com/test.r
was not found on this server.
Apache/2.0.50 (Fedora) Server at www.cod-okna.cz Port 80
Volker
5-Dec-2005
[378x2]
the basics should be something like this. but does not work.

probe read/custom http://www.cod-okna.cz/cgi-bin/rebol[
 post {print "content-type: text/plain^/^/oho^/"}
]
Graham
5-Dec-2005
[380]
well, I still think it's safe :)
Volker
5-Dec-2005
[381x3]
another try, Pekr does not find a new file.

probe read/custom http://www.cod-okna.cz/cgi-bin/rebolprobe [

 post {write %exploited.txt "Ooops" print "content-type: text/plain^/^/oho^/"}
]

-> i hope does not find.
Pekr
5-Dec-2005
[384]
no new rebols in ps - aux output yet :-)
Volker
5-Dec-2005
[385]
No, that should only run, make a file in rebols dir and quit. Hmm, 
in the current dir, where is that?
Pekr
5-Dec-2005
[386]
no files in-there ....
Volker
5-Dec-2005
[387]
then Graham is right i think. although i would not do it :)
Pekr
5-Dec-2005
[388x2]
well, but it is good option to simply make nearly whatever provider 
a rebol hoster :-)

I think that it is legitimate aproach though. IIRC, my first article 
I read in some 1996 regarding cgi, was stating something like - put 
your C app into cgi-bin directory. Back then the author was describing 
that cgi is simply common gateway interface, and that your executable 
app should be put in cgi-bin directory. And rebol is C app :-)
Sunanda
5-Dec-2005
[390]
Petr: <<I mean - above block in 'join statement is reduced - is it 
secure?>>

That should be okay.  You could just do a construct/with to create 
an object.

If you are intending to create an object, then pre-process the block 
from decode-cgi to ensure that the word "self" is not used as a keyword 
(tip courtesy of Chris RG, if I remember rightly).
Volker
5-Dec-2005
[391x2]
Not sure. Maybe he means main app?

i mean a main app in c.
Pekr
5-Dec-2005
[393]
thanks guys ....
Volker
5-Dec-2005
[394x2]
wait! how many sleeping rebols do you want?

url: http://www.cod-okna.cz/cgi-bin/rebol
print "should be fast"
probe attempt[ read probe url]  ; 
print "should be slow"
probe attempt[ 
 read/custom  url probe [
  post {wait 4^/}
 ]
]
Pekr
5-Dec-2005
[396]
and? You are imo reading rebol executable, that is all :-)
Graham
5-Dec-2005
[397]
he's trying to start it up and leave a console running
Volker
5-Dec-2005
[398]
No, the second time i do a wait. that should be slower.
Pekr
5-Dec-2005
[399]
ah, but the console would have to get that command (wait 4) - do 
you think it is passed to it?
Volker
5-Dec-2005
[400x3]
I think so.

but hard to exploit more. security is on, so only access to cgi-bin 
and childs. cgi-bin should not be writable by the cgi-user. except 
if cgis run as your account, then i could write a script with -cs 
and call that in the next step.

and getting data out does not work, because rebol first prints its 
version-stuff, and webserver thinks "header wrong"
Pekr
5-Dec-2005
[403x4]
ok, just tried it - Volker is right ...

I can see processes, for one read/custom two of them - dunno why 
...

but you could flood server, running hundreds of instances .... keeping 
them in memory for long time ...

now - is it a rebol vulnerability? Or just putting rebol into cgi-bin 
is the simple cause?
Volker
5-Dec-2005
[407x4]
Yes, but i could also call hundreds of regular scripts to keep server 
busy. although this way is  easier, i can allocate lots of mem with 
one call.

I would say: do no exe in cgi if it cant handle cgi. and rebol cant 
(except with script).

but it could protect itself by checking for cgi without -c? So not 
a bug, but a missing feature?

do no exe in cgi -> put no exe in cgi-bin
Graham
5-Dec-2005
[411]
security through obsfuscation .. rename your rebol binary !
Pekr
5-Dec-2005
[412]
how could it protect itself? How does it know it is in place to be 
run as a cgi interpreter?
Volker
5-Dec-2005
[413]
Hmm, good question. May be hard.
Pekr
5-Dec-2005
[414x2]
Graham - my server is far from popular. I think no-one will do Volker's 
like trick. But you might be right, if we teach ppl to simply put 
rebol into cgi-bin dir, and then such "vulnerability" is found, ISPs 
might hate it ....

renaming executable might work ... sufficiently enough imo ...
Volker
5-Dec-2005
[416]
I see no reason why not to put it somewhere else, outside of web-folders.
Graham
5-Dec-2005
[417]
Hosts wont' normally put rebol into their own cgi-bin
Pekr
5-Dec-2005
[418]
Graham - because then user can't do it, ISP has to  ...
Graham
5-Dec-2005
[419]
Volker, often hosts will not allow exes outside cgi-bin
older
newer		first
last