Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shell Simulation Via CGI

Posted by Hemos on from the playing-around dept.

mischi writes "CGI-Shell simulates a shell using CGI. So everybody who has a CGI-directory on a web-server, also has its own shell on it -- comparable with Telnet or SSH. That's really practical, because most webhosters don't offer a shell (for free) -- but do offer CGI. With CGI-Shell you can execute commands, copy files or just explore your webserver. Even a history and auto-completion with tabulator are included. "

7 of 332 comments (clear)

  1. Re:security? by smerritt · · Score: 5, Informative

    Well, most CGIs run as the user ID of the web server, so unless something like Apache's suEXEC is being used, this is no substitute for having genuine shell access.

    If two or more people on a server both install this, they can read and modify each other's files, etc. since the CGIs will be running as the same user.

  2. Probable hosting service response. by Minupla · · Score: 5, Informative

    If I were a hosting service, I'd be visiting the creator of that with a LART. The big reason why hosting providers do not generally provide shell accounts is that its much much harder to harden a box against attempts from a non-root user to leverage their access to get root. I predict you'll see a lot of hosting providers move away from allowing CGI because of this and things like it. That was the policy at places I ran. You couldn't put up CGI without paying for one of the sysadmins to do a security check of the script.

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  3. Re:Shell whores. by Chaswell · · Score: 3, Informative

    Oldest IRC channel control bot. The bot logs in, sits in a channel and manages ownership of the channel and protects the channel from take over. A bot of some sort is pretty important if some one plans to run a large channel for any length of time.

    You can get more info here.

  4. Re:security? by Gudlyf · · Score: 5, Informative

    I haven't taken a look at it myself, but my first thought is that this is no more harmful than what any one line PHP script could do. So long as the web admins aren't idiots and have things setup the right way, they should have nothing to worry about.

    --
    Trolls lurk everywhere. Mod them down.
  5. Re:How about a Java ssh/telnet applet? by CaptainStormfield · · Score: 3, Informative

    A very quick and dirty Google search produced numberous promising links. I tried the mindterm java app on a whim, and it worked quite well. If you are not completely paranoid, you can even use the link on their site to d/l the java applet, rather than taking up space on your web account.

    --
    "The dinosaurs died because they didn't have a space program." - Niven
  6. BS by mindstrm · · Score: 3, Informative

    I'm as much of a unix nut as the next guy.. but NT's ACL system is far more robust and flexible than the traditional unix system... hands down.

    Example: Can the standard unix permissions give access to everyone in group a,b, and c, except for user x who is also a member of groups b and c, and y, as well as ensuring that z has full access to everything? No, you can't.

    If you allow your customers to upload their own cgis, this is merely a tool.

    This IS a good tool.

  7. This is new? by Zone-MR · · Score: 4, Informative

    Scripts like this for both perl and PHP have existed for quite some time. They basically rely on one command like exec or system. In essence they just run whatever you pass them and spit out the output.

    Since this got so much publicity I was expecting something new, such as the ability to interact with interactive programs. But it seems this one lacks that feature aswell, in essence making it a poor substitute for a real shell. Pico, micq, bitchx, su, passwd, any interactive program is UNUSABLE.

    That is its biggest limitation.