On Fri, 22 Oct 1999, Stephen Turner wrote:
> On Thu, 21 Oct 1999, Aengus Lawlor wrote:
> >
> > The documentation says of CGI ON that "You can't choose any options that
> > way though". This isn't my experience. I just typed in the following URL
> >
> > http://<server>/analog/analog.exe?c:\logs\jun.log+c:\logs\jul.log+%2bC"H
> > OSTNAME+Test"+%2bO-+%2bC"CGI%20ON"
> >
> > and got a report for the two logs specified, and with the specified
> > hostname.
>
> Hmmm. It looks as if your server is passing those arguments in on the
> command line. I didn't think that was normal behaviour, but I'll check on
> my Apache this evening.
>
> In this case, it's a serious security risk. The anlgform.pl filters out
> certain dangerous arguments. For example, if someone specified HEADERFILE in
> your example, they could view any file on the system. Don't keep it there!
>
OK, as far as I can see Apache doesn't pass the arguments. Is this IIS doing
this?
It seems to me, as I explained before, that this is a serious security
risk. Of course, I can warn people about it, but they won't necessarily
know, or be able to find out easily, whether their server is an at-risk one.
Or even read the instructions.
At this moment, I'm minded to remove the CGI command from analog altogether,
and only allow CGI access via anlgform.pl. This is in some ways less
convenient, but I don't think I can advertise a feature when it's very
likely to be set up as a security risk.
In fact, it's worse than that. Even if people don't ever find the CGI
command, they still sometimes put analog.exe in their CGI directory,
thinking it's somehow a CGI script [*], and they would still be vulnerable
to this exploit.
Does anyone have any comments on this proposal (to disable the CGI
command), for or against?
[*] I've even had people write to me very confused because they tried to
open analog.exe in a text editor, and it doesn't look like a CGI (presumably
meaning Perl) script.
--
Stephen Turner [EMAIL PROTECTED] http://www.statslab.cam.ac.uk/~sret1/
Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England
"Due to the conflict in Kosovo, we will not be showing the movie Wag the
Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------
