Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shell Simulation Via CGI

Posted by Hemos on from the playing-around dept.

mischi writes "CGI-Shell simulates a shell using CGI. So everybody who has a CGI-directory on a web-server, also has its own shell on it -- comparable with Telnet or SSH. That's really practical, because most webhosters don't offer a shell (for free) -- but do offer CGI. With CGI-Shell you can execute commands, copy files or just explore your webserver. Even a history and auto-completion with tabulator are included. "

7 of 332 comments (clear)

  1. Backdoors by TheGreek · · Score: 5, Interesting

    waiting to happen. Expect to see hosting providers outlaw this quickly, if they haven't done so in their ToSes already.

  2. UID issues by Ryu2 · · Score: 5, Interesting

    Most webserver setups run under a non-priveleged UID of 'nobody' or the like... which means that normally, the web server user would not be able to access files owned by YOUR own UID. Would there be some sort of set-UID involved here?

    --
    There's 10 types of people in this world, those who understand binary and those who don't.
  3. I've used something exatly like this for months by stratjakt · · Score: 4, Interesting

    I use it to add ipfwd lines to an internal router box around here. Runs in cgi under apache, lets me type sh commands and see the output.

    This is just a new version of an old product, and has the same major problem: "applications interacting with the user (those that ask for input from the user), e.g. passwd are still a problem. "

    So it's good for doing a chmod or ipfwd line, but you cant run vi or the like.

    How hard would it be to get full terminal emulation through a browser applet?

    --
    I don't need no instructions to know how to rock!!!!
  4. Stop whinging - this is a good thing by cliveholloway · · Score: 5, Interesting

    Any exploits that this allows idiots/script kiddies to do are exploits that a Perl programmer with half a brain can write in about 6 lines of code:

    use CGI;
    my $q=CGI->new();
    my $command = $q->param('command')
    $command and print $q->header('text/plain').`$command`."\n" and exit;
    print $q->header.$q->start_html.$q->start_form.$q->textf ield('command').$q->end_form.$q->end_html;

    If your web server is so badly configured that this creates security issues for you, you seriously need to read up on security.

    .02

    cLive ;-)

    --
    -- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
  5. You people are so negative! by Ayanami+Rei · · Score: 3, Interesting

    Whine whine whine script kiddies paradise, whine whine whine backdoor shenanigans

    baka.

    1) commands run with as much permissions as the perl script itself, including umask. If there just happens to be a local r00t expl0it, well that's too bad. Perhaps it would motivate the server owner to apply some patches. Any damage would be limited to that which can be done with shell access otherwise (which this is supposed to provide). Moreover, it would behoove the owner of said script to make a few simple changes and use a white list of allowed commands or a blacklist of dubious things to prevent shenanigans (IE no eval, command interpolation, or exec, and limiting PATH)

    2) htaccess is as secure as telnet (perhaps moreso). I have telnet open to untrusted accounts, and I've not been rooted. The only thing I would complain about is how browsers manage basic auth permissions. I would encourage users to modify the script to remove any weird html and write a user-interface shell script (using curl or something) to provide a pseudo-terminal session. This would prevent the session from being hijacked by browser bugs or by just not closing out of Moz or IE.

    3) Finally, there is nothing about this that would prevent you from using SSL... a feature that some sites might provide as a side effect of having a management, ecommerce, or sign-up site hosted on the same machine.

    One thing I don't like is the lack of simple console i/o. It would be nice to provide simple console support via HTTP/1.1 streaming and javascript on the client side; it wouldn't be interactive but it could at least emulate things like no-echo with a "password" textbox vs. a normal textbox.
    It sounds like a lot of work though.

    --
    THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
  6. Re:Surprised... by Hanno · · Score: 3, Interesting
    I'm surprised we haven't seen this come out earlier..

    I'm surprised this is considered news, since it's an age-old idea.



    Friends of mine once used a cheapo ISP who did not offer shell access, but who made the mistake of running Apache with root priviledges. They used a similar script years ago to do remote administration of their site on that mis-configured server. They never exploited the security hole, but they always thought it was funny that they had a "limited web account" yet full access to everything on the server.

    --

    ------------------
    You may like my a cappella music
  7. Re:Doesn't IIS Already Have This? by langed · · Score: 3, Interesting
    As I recall, this was covered here on /. before, under vigilantism, relating to Code Red.

    Yeah it works--I got some pretty upset phone calls last year at my university, when my box had shut down an NT "corridor" machine to the scripted, dynamic "student accounts pages"... They pulled my internet connection for 3 days (it happened over a weekend) with an order to fix it before they restored my connection.

    They also threatened to bill me for their damages--an estimated $700. (I have no idea where they dreamed up that number.)

    I'm just too lazy to go find a link--there has been declared today a "low brain activity advisory" by the National Weather Service. :)