Shell Simulation Via CGI

← Back to Stories (view on slashdot.org)

Posted by Hemos on Monday February 3, 2003 @09:22AM from the playing-around dept.

mischi writes "CGI-Shell simulates a shell using CGI. So everybody who has a CGI-directory on a web-server, also has its own shell on it -- comparable with Telnet or SSH. That's really practical, because most webhosters don't offer a shell (for free) -- but do offer CGI. With CGI-Shell you can execute commands, copy files or just explore your webserver. Even a history and auto-completion with tabulator are included. "

3 of 332 comments (clear)

Min score:

Reason:

Sort:

Backdoors by TheGreek · 2003-02-03 09:23 · Score: 5, Interesting

waiting to happen. Expect to see hosting providers outlaw this quickly, if they haven't done so in their ToSes already.
UID issues by Ryu2 · 2003-02-03 09:29 · Score: 5, Interesting

Most webserver setups run under a non-priveleged UID of 'nobody' or the like... which means that normally, the web server user would not be able to access files owned by YOUR own UID. Would there be some sort of set-UID involved here?

--
There's 10 types of people in this world, those who understand binary and those who don't.
Stop whinging - this is a good thing by cliveholloway · 2003-02-03 09:39 · Score: 5, Interesting

Any exploits that this allows idiots/script kiddies to do are exploits that a Perl programmer with half a brain can write in about 6 lines of code:

use CGI; my $q=CGI->new(); my $command = $q->param('command') $command and print $q->header('text/plain').`$command`."\n" and exit; print $q->header.$q->start_html.$q->start_form.$q->textf ield('command').$q->end_form.$q->end_html;

If your web server is so badly configured that this creates security issues for you, you seriously need to read up on security.
.02
cLive ;-)

--
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism