On Apr 29, 2006, at 8:28 AM, J. Landman Gay wrote:
Tariel Gogoberidze wrote:
You can do it if you keep the stack somewhere else outside of the
CGI
folder, but I hear that can be a security risk (though I'm not
sure how
exactly, but someone wrote me once with very strong opinions
about it.)
Probably because it opens the door to what's usually called
"executing arbitrary code on remote computer" :)
Right, that's what they said, but I don't see how it could be done.
The CGI would only write specific data to a specific stack, and
there isn't any way to make it behave differently by sending
commands to it. As long as your CGI only operates on valid input,
how could someone execute code?
The only way a CGI could be misused that way is if it contained a
line of script like:
do the params
It is rather safe to use the "do" command here. I haven't come across
any crackers does xTalk, yet ;)
It is even safer if you:
set secureMode to true -- all access to file system and other
system resources is disabled.
if you don't really need to read/write files.
My greater fear are the shell() command and the file path system. If
you pipe the parameter directly to the shell() command, you are in
great risk. Also, if you would allow the browser end to specify
resources thru the path name (like /myfolder/myfile.txt), the risk of
exposing other files will be there (cracker may specify something
like ../../../known-system-file).
MetaCard engine is rather safe to use as CGI. Just like php/perl/
java. It is the application that opens the loophole. I've got people
hacked into my development server via mambo* loophole (developed on
php), I can only blame myself on not getting mambo up to date, there
is really nothing to do with php and mysql.
* http://www.mamboserver.com/
--
which would be a really stupid thing to include. I can't think how
a MC CGI could be abused without something like that in it.
--
Jacqueline Landman Gay | [EMAIL PROTECTED]
HyperActive Software | http://www.hyperactivesw.com
_______________________________________________
metacard mailing list
[email protected]
http://lists.runrev.com/mailman/listinfo/metacard
_______________________________________________
metacard mailing list
[email protected]
http://lists.runrev.com/mailman/listinfo/metacard
