AltME groups homeHelpJoin REBOL3 world
  Find AltME posts   Help

Recent posts

Worlds:r4wpr3wp
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
14-Nov 17:10 UTC
[0.06] 17.423k
r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

Join the discussions in the REBOL3 world...

[CGI] web server issues

older
newer		first
last
Graham
5-Dec-2005
[380]
well, I still think it's safe :)
Volker
5-Dec-2005
[381x3]
another try, Pekr does not find a new file.

probe read/custom http://www.cod-okna.cz/cgi-bin/rebolprobe [

 post {write %exploited.txt "Ooops" print "content-type: text/plain^/^/oho^/"}
]

-> i hope does not find.
Pekr
5-Dec-2005
[384]
no new rebols in ps - aux output yet :-)
Volker
5-Dec-2005
[385]
No, that should only run, make a file in rebols dir and quit. Hmm, 
in the current dir, where is that?
Pekr
5-Dec-2005
[386]
no files in-there ....
Volker
5-Dec-2005
[387]
then Graham is right i think. although i would not do it :)
Pekr
5-Dec-2005
[388x2]
well, but it is good option to simply make nearly whatever provider 
a rebol hoster :-)

I think that it is legitimate aproach though. IIRC, my first article 
I read in some 1996 regarding cgi, was stating something like - put 
your C app into cgi-bin directory. Back then the author was describing 
that cgi is simply common gateway interface, and that your executable 
app should be put in cgi-bin directory. And rebol is C app :-)
Sunanda
5-Dec-2005
[390]
Petr: <<I mean - above block in 'join statement is reduced - is it 
secure?>>

That should be okay.  You could just do a construct/with to create 
an object.

If you are intending to create an object, then pre-process the block 
from decode-cgi to ensure that the word "self" is not used as a keyword 
(tip courtesy of Chris RG, if I remember rightly).
Volker
5-Dec-2005
[391x2]
Not sure. Maybe he means main app?

i mean a main app in c.
Pekr
5-Dec-2005
[393]
thanks guys ....
Volker
5-Dec-2005
[394x2]
wait! how many sleeping rebols do you want?

url: http://www.cod-okna.cz/cgi-bin/rebol
print "should be fast"
probe attempt[ read probe url]  ; 
print "should be slow"
probe attempt[ 
 read/custom  url probe [
  post {wait 4^/}
 ]
]
Pekr
5-Dec-2005
[396]
and? You are imo reading rebol executable, that is all :-)
Graham
5-Dec-2005
[397]
he's trying to start it up and leave a console running
Volker
5-Dec-2005
[398]
No, the second time i do a wait. that should be slower.
Pekr
5-Dec-2005
[399]
ah, but the console would have to get that command (wait 4) - do 
you think it is passed to it?
Volker
5-Dec-2005
[400x3]
I think so.

but hard to exploit more. security is on, so only access to cgi-bin 
and childs. cgi-bin should not be writable by the cgi-user. except 
if cgis run as your account, then i could write a script with -cs 
and call that in the next step.

and getting data out does not work, because rebol first prints its 
version-stuff, and webserver thinks "header wrong"
Pekr
5-Dec-2005
[403x4]
ok, just tried it - Volker is right ...

I can see processes, for one read/custom two of them - dunno why 
...

but you could flood server, running hundreds of instances .... keeping 
them in memory for long time ...

now - is it a rebol vulnerability? Or just putting rebol into cgi-bin 
is the simple cause?
Volker
5-Dec-2005
[407x4]
Yes, but i could also call hundreds of regular scripts to keep server 
busy. although this way is  easier, i can allocate lots of mem with 
one call.

I would say: do no exe in cgi if it cant handle cgi. and rebol cant 
(except with script).

but it could protect itself by checking for cgi without -c? So not 
a bug, but a missing feature?

do no exe in cgi -> put no exe in cgi-bin
Graham
5-Dec-2005
[411]
security through obsfuscation .. rename your rebol binary !
Pekr
5-Dec-2005
[412]
how could it protect itself? How does it know it is in place to be 
run as a cgi interpreter?
Volker
5-Dec-2005
[413]
Hmm, good question. May be hard.
Pekr
5-Dec-2005
[414x2]
Graham - my server is far from popular. I think no-one will do Volker's 
like trick. But you might be right, if we teach ppl to simply put 
rebol into cgi-bin dir, and then such "vulnerability" is found, ISPs 
might hate it ....

renaming executable might work ... sufficiently enough imo ...
Volker
5-Dec-2005
[416]
I see no reason why not to put it somewhere else, outside of web-folders.
Graham
5-Dec-2005
[417]
Hosts wont' normally put rebol into their own cgi-bin
Pekr
5-Dec-2005
[418]
Graham - because then user can't do it, ISP has to  ...
Graham
5-Dec-2005
[419]
Volker, often hosts will not allow exes outside cgi-bin
Volker
5-Dec-2005
[420]
Usually you can put it in homedir or such.
Graham
5-Dec-2005
[421]
so, even if you put outside the webfolders, you can't then execute 
it
Pekr
5-Dec-2005
[422]
Volker: but usually you don't get console access, only ftp to copy 
your web to ...
Volker
5-Dec-2005
[423x2]
Hmm, that is bad. thought exes outside would be ok. talk to host?

I did that for micha and it worked. thought that is common.
Pekr
5-Dec-2005
[425]
advantage of having rebol in cgi-bin is, that you can update it yourself, 
not asking your ISP to update it for you each time new version is 
out :-)
Volker
5-Dec-2005
[426x2]
can you have subdirs with cgi-scripts? so that you can call http://cgi-bin/project1/script.cgi
?

then maybe you can restrict access to that folder by .htaccess.
Pekr
5-Dec-2005
[428]
well, as for my server, I can install rebol regullarly. We just were 
thinking loud here with Graham, if that is good aproach or not to 
have it in cgi-bin, so simply you could run your rebol scripts without 
ISP to even know you are using rebol :-)
Volker
5-Dec-2005
[429]
Grahams obfuscation-trick should work too, as long as nobody on the 
same server tries to break in.
older
newer		first
last