World: r3wp
[CGI] web server issues
| older newer | first last |
| Volker 5-Dec-2005 [376] | I think url are passed in another way. in read-cgi is "system/options/cgi/query-string" |
| Graham 5-Dec-2005 [377] | http://www.cod-okna.cz/cgi-bin/rebolhttp://www.compkarori.com/test.r The requested URL /cgi-bin/rebol http://www.compkarori.com/test.r was not found on this server. Apache/2.0.50 (Fedora) Server at www.cod-okna.cz Port 80 |
| Volker 5-Dec-2005 [378x2] | the basics should be something like this. but does not work. |
probe read/custom http://www.cod-okna.cz/cgi-bin/rebol[ post {print "content-type: text/plain^/^/oho^/"} ] | |
| Graham 5-Dec-2005 [380] | well, I still think it's safe :) |
| Volker 5-Dec-2005 [381x3] | another try, Pekr does not find a new file. |
probe read/custom http://www.cod-okna.cz/cgi-bin/rebolprobe [ post {write %exploited.txt "Ooops" print "content-type: text/plain^/^/oho^/"} ] | |
-> i hope does not find. | |
| Pekr 5-Dec-2005 [384] | no new rebols in ps - aux output yet :-) |
| Volker 5-Dec-2005 [385] | No, that should only run, make a file in rebols dir and quit. Hmm, in the current dir, where is that? |
| Pekr 5-Dec-2005 [386] | no files in-there .... |
| Volker 5-Dec-2005 [387] | then Graham is right i think. although i would not do it :) |
| Pekr 5-Dec-2005 [388x2] | well, but it is good option to simply make nearly whatever provider a rebol hoster :-) |
I think that it is legitimate aproach though. IIRC, my first article I read in some 1996 regarding cgi, was stating something like - put your C app into cgi-bin directory. Back then the author was describing that cgi is simply common gateway interface, and that your executable app should be put in cgi-bin directory. And rebol is C app :-) | |
| Sunanda 5-Dec-2005 [390] | Petr: <<I mean - above block in 'join statement is reduced - is it secure?>> That should be okay. You could just do a construct/with to create an object. If you are intending to create an object, then pre-process the block from decode-cgi to ensure that the word "self" is not used as a keyword (tip courtesy of Chris RG, if I remember rightly). |
| Volker 5-Dec-2005 [391x2] | Not sure. Maybe he means main app? |
i mean a main app in c. | |
| Pekr 5-Dec-2005 [393] | thanks guys .... |
| Volker 5-Dec-2005 [394x2] | wait! how many sleeping rebols do you want? |
url: http://www.cod-okna.cz/cgi-bin/rebol print "should be fast" probe attempt[ read probe url] ; print "should be slow" probe attempt[ read/custom url probe [ post {wait 4^/} ] ] | |
| Pekr 5-Dec-2005 [396] | and? You are imo reading rebol executable, that is all :-) |
| Graham 5-Dec-2005 [397] | he's trying to start it up and leave a console running |
| Volker 5-Dec-2005 [398] | No, the second time i do a wait. that should be slower. |
| Pekr 5-Dec-2005 [399] | ah, but the console would have to get that command (wait 4) - do you think it is passed to it? |
| Volker 5-Dec-2005 [400x3] | I think so. |
but hard to exploit more. security is on, so only access to cgi-bin and childs. cgi-bin should not be writable by the cgi-user. except if cgis run as your account, then i could write a script with -cs and call that in the next step. | |
and getting data out does not work, because rebol first prints its version-stuff, and webserver thinks "header wrong" | |
| Pekr 5-Dec-2005 [403x4] | ok, just tried it - Volker is right ... |
I can see processes, for one read/custom two of them - dunno why ... | |
but you could flood server, running hundreds of instances .... keeping them in memory for long time ... | |
now - is it a rebol vulnerability? Or just putting rebol into cgi-bin is the simple cause? | |
| Volker 5-Dec-2005 [407x4] | Yes, but i could also call hundreds of regular scripts to keep server busy. although this way is easier, i can allocate lots of mem with one call. |
I would say: do no exe in cgi if it cant handle cgi. and rebol cant (except with script). | |
but it could protect itself by checking for cgi without -c? So not a bug, but a missing feature? | |
do no exe in cgi -> put no exe in cgi-bin | |
| Graham 5-Dec-2005 [411] | security through obsfuscation .. rename your rebol binary ! |
| Pekr 5-Dec-2005 [412] | how could it protect itself? How does it know it is in place to be run as a cgi interpreter? |
| Volker 5-Dec-2005 [413] | Hmm, good question. May be hard. |
| Pekr 5-Dec-2005 [414x2] | Graham - my server is far from popular. I think no-one will do Volker's like trick. But you might be right, if we teach ppl to simply put rebol into cgi-bin dir, and then such "vulnerability" is found, ISPs might hate it .... |
renaming executable might work ... sufficiently enough imo ... | |
| Volker 5-Dec-2005 [416] | I see no reason why not to put it somewhere else, outside of web-folders. |
| Graham 5-Dec-2005 [417] | Hosts wont' normally put rebol into their own cgi-bin |
| Pekr 5-Dec-2005 [418] | Graham - because then user can't do it, ISP has to ... |
| Graham 5-Dec-2005 [419] | Volker, often hosts will not allow exes outside cgi-bin |
| Volker 5-Dec-2005 [420] | Usually you can put it in homedir or such. |
| Graham 5-Dec-2005 [421] | so, even if you put outside the webfolders, you can't then execute it |
| Pekr 5-Dec-2005 [422] | Volker: but usually you don't get console access, only ftp to copy your web to ... |
| Volker 5-Dec-2005 [423x2] | Hmm, that is bad. thought exes outside would be ok. talk to host? |
I did that for micha and it worked. thought that is common. | |
| Pekr 5-Dec-2005 [425] | advantage of having rebol in cgi-bin is, that you can update it yourself, not asking your ISP to update it for you each time new version is out :-) |
| older newer | first last |