Hi, Hi Eric
Nice to hear from you!
Thanks a lot for that info! I read the note "TODO: POST method. I'm not
really worried about this, as support for 'post' would only make folks try
to use this as a configuration gateway, for LRP, and I really don't think
it's secure enough for that." on Charles' site and based on that I thought
that it's just a waste of time to try that with weblet. This was 2 months
ago. At this time, I thought that "POST" is the only form method possible at
all... (I'm not the HTML-guy.. :))
You're right, the rights are a big problem. I noticed that 10min after
sending this mail to the list. I tried to run thttpd with "root" rights and
it seems that it runs with root rights (ps aux shows that) but no root
commands are executed (ipchains and ip commands). I don't have any idea why
it won't run.
It seems that it runs with weblet...
I'll try out my script with weblet.
Have a nice weekend
Sandro Minola
-----Original Message-----
From: Eric Wolzak [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 15, 2001 10:00 PM
To: Sandro Minola; [EMAIL PROTECTED]
Subject: Re: [Leaf-user] thttpd CGI Forms for administrating Firewall
through browser
Hello All, Sandro
> hi all
>
> i asked myself, why there is no web-based admin tool for LRP which allows
> the admin to ENTER something. weblet is great but just a viewer.
> i first tried to use weblet for HTML forms with post or get method. i
found
> out, that weblet don't support any methods.
>
The weblet does accept input,. I used in my webbased shorewall
configuration.
If you use the original weblet, than you know that by clicking on the
pictures you get another information.
In the shorewall configuration weblet, I also used a bash script that
runs as a result of sending the form.
This is a security risk, the other problem is that to change
something essential at the configuration ( firewall etc) the weblet
has to be run with root rights .
I didn't updated the configuration tool, for 2 reasons, got not much
time, and no response at all, so I assumed that nobody was
interested.
> BUT thttpd does! then i tried how to get form entries parsed with bash. i
> wrote a script which parses the entries from the user by GET method.
result
> is:
> $[fieldname]=[string by user]
>
> it runs with more than one form field....
>
> i'm not the bash guru, can someone have a look at my script and tell me,
if
> there is a better way to do that (w/o writing to a temp file).
>
I'm sorry I didn't have time to try out the script, but I can tell you
about my experience with this.
I used in my first version a pipe at several places
data is processed | now the second proces take place
and found out that for a reason I couldn't detect this didn't work out
every time.
the version
data is processed > Written_to_tempfile
do something with tempfile
however worked.
As you usually don't have lot's of users configurating your box ;)
the loss of speed with a temp file located in Ram won't be a
problem IMHO
> i hope this example is useful for those who want to develop some html
forms
> which allows to admin a LRP box through browser. i know that this is a
> potential security whole but perhaps someone knows how to protect webpages
> with a password in thttpd
> (.htaccess !?)
>
If there are more people interested, we could join our efforts :=)
> greetings
> Sandro Minola
> (Script at the bottom)
>
> Example Script:
>
> #!/bin/sh
> STRINGS=`echo $QUERY_STRING|cut -d'&' -f*`
> for STRING in $STRINGS ; do
> echo $STRING >> /var/tmp/wwwget.tmp
> done ; unset STRING ; unset STRINGS
>
> . /var/tmp/wwwget.tmp
>
> cat <<- /HTML-DATA
> Content-type: text/html
>
> <HTML><HEAD><TITLE>HTML Form TEST Page</TITLE></HEAD>
>
> $(echo $NAMEOFFIELD1)
> $(echo $NAMEOFFIELD2)
> $(echo $NAMEOFFIELD?)
>
> $(rm /var/tmp/wwwget.tmp)
> </BODY></HTML>
> /HTML-DATA
>
back again ;)
Eric Wolzak
http://leaf.sourceforge.net/devel/ericw
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
