Re: cgis and server side includes

Daniel Mahler (mahler@nospam.socs.uts.edu.au)
Wed, 29 May 1996 18:21:14 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ryan Shelswell: "nobody stuff"
Previous message: Roland John Turner: "Re: cgis and server side includes"
In reply to: Anton Blanchard: "Re: cgis and server side includes"

Here is a summary of (more than :)) what I understand.

Web related security risks can be classified as follows
1) insecure CGI/SSI
1a) the owner is malicious
1b) the owner is merely ignorant
2) insecure server

Cgi-wraps are primarily intended to deal (1a).
The scenario is being prevented is:
User X writes a program that does something nasty.
To reduce the chances of getting caught,
X sets the program up as a CGI script
and triggers it through a browser;
Thus, "nobody" did it,
at least as far as the various log files are concerned.
The idea is that with cgi-wraps, X did it, even in the log files.

In (1b) cgi-wraps still can help a little.
Now there is an ignorant user X supplying the dangerous script,
and a malicious other, Y, possibly on the other side of the world
or on the same machine.
Cgi-wrap helps identify X;
this at least speeds up the removal of the offending script.
Cgi-wrap will not help identify Y directly.
However, X or the script may help with that.

Now for the drawbacks:
Some cgi scripts may be secure with the old set up,
but become insecure once they are run with extra privileges.
Extra privileges may significantly widen an existing security hole;
this would also apply in the case of an insecure server.

Security breaches caused by cgi-wrap
are more serious for everyone, not just the owner.
If your directories are sufficiently insecure to be trashed by nobody,
then they can be trashed by user X.
However, X may have group privileges with respect to your files.
This would not be a problem without cgi-wrap
(I am particularly thinking of case (1b)).

It may not generally be possible for administrators
to distinguish (1a) from (1b);
people can always plead stupidity,
and they may even set up the scripts to look that way.
Thus cgi-wrap may not be as much of a deterrent as hoped.

I do not know much about systems administration
or running a http-server, but I would have thought
that the offending script and, hence, its owner
can be traced through the log files anyway.
Tracing the person abusing the script seems equally difficult either way.

Overall, it seems like cgi-wrap may pose more problems than it solves.

Daniel

Next message: Ryan Shelswell: "nobody stuff"
Previous message: Roland John Turner: "Re: cgis and server side includes"
In reply to: Anton Blanchard: "Re: cgis and server side includes"