On Tue, 16 Jan 2001, Michael R. Wayne wrote:

> Background:
>    We recently had a customer's web site suffer an attempted exploit
>    via one of their cgi scripts.  The attempted exploit involved
>    writing a file into /tmp, then invoking inetd with that file to
>    get a root shell on a non-standard port.  While the exploit
>    failed, they were able to write the file as user nobody and
>    invoke inetd.  There is not much we can do about that as long
>    as we permit customers to use their own cgi scripts, which is
>    a requirement with this type of account.

If you are using apache (who isn't?), I highly suggest you look into using
suexec. That way bad CGI programming is offloaded to the customer and not
to your system.

-gordon



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to