MC on Apache and CGI

[Sannyasin Sivakatirswami]

I use MC on all our domains in Honolulu, works fine:

this is how we have it, possibly you know all this already, but I am 
very interested in having this area (MC security running behind Apache 
on a Unix-MacOSX box)  thoroughly elucidated as we also know virtually 
nothing about Unix security issues. so  here goes  with what I know to 
date:

put the engine itself in cgi-bin
    ## just like any PERL script
    ## that's protected from bad guys as far as i know
CHMOD 755 the engine itself
Put your scripts in the CGI directory along side the engine
CHMOD them also 755.

Path to engine in 1st line of the script is standard.. .Just look at 
any access logs for your site to see what the full machine path is to 
your directory on that machine to any file

e.g.

#! /export/users/g/gregory/public_html/cgi-bin/mc
## is  a typical path on a virtual domain...
## where /public_html/cgi-bin/mc is the flavor for the running OS

on StartUp
  read from stnIn

##make sure any path ref in your script "climbs out" of the CGI bin
##   ../someDirectory/some.file

etc.

to block other domains you need to create an "authorized domain' 
routine similar to the one in formMail.pl where

a) you parse the header from the submisson from the submitting domain,
b) check that against a list of authorized domains usually this is the 
one on which the script itself resides, or several on the same server 
under your control to prevent hackers from making POSTs from other 
domains/servers.

==========

I asked these same questions two years ago, was told that the "wrapper" 
thing pertained to using MC as a server handling the http requests... 
not to the context where MC is used as a CGI interpreter where Apache 
is the actual server. That said, then no more damage to the server can 
be done by an MC script than one could do with an a bad Perl script.

We "quietly" installed MC remotely in the cgi-bin with a nod from their 
server admin who we have hosted with since before the web began in 
93.... on trust that we would not do anything stupid just like they 
assume anyone using PERL is not going to install scripts that would do 
something radical to their server.

e.g. I see lots of attempts from outside domains to hit on our 
formMail.pl (perl) script, You see this in the error logs where POSTs 
are coming down from outside domains to "formmail.cgi" "FormMail.pl" 
formMail.cgi, formMail.pl" where some guy is obviously testing to see 
if he can use my CGI,,, if he could only get the name right... and 
occasionally they do, but their submission is rejected. by the script 
itself... not by any "wrapper' as such.

In this case this is a well-known Perl script in the public domain 
(formMail.pl) which previously had a big hole in it  (go to Matt's 
Archives and see his comments at the top of the latest version of 
formMail.pl)

I am not an expert, but it would seem to me that any script in any 
language could be secure or dangerous if it did not  do the obviously 
security thing of examining the globals or some initial bit of data 
from stdIn and if it is not what's expected, nothing happens.

but, perhaps there are other holes or other kinds of CGI scenarios (we 
are just talking about POST here.) that could be dangerous?


>
Sannyasin Sivakatirswami
Himalayan Academy Publications
at Kauai's Hindu Monastery
katir at hindu.org

www.HimalayanAcademy.com,
www.HinduismToday.com
www.Gurudeva.org
www.Hindu.org







On Sunday, December 8, 2002, at 09:39 AM, jbv wrote:

> Although your comments raise a few important questions that
> I'll have to discuss with the UNIX guy :
> - what is the best directory to drop the mc engine so that
> no bad guy finds it ?
> - and what can happen if any bad guy finds it ?
> - is there anything specific that can be done (by a bad guy) with MC
> as a simple cgi engine that can't be done with a php or perl engine ?
> - does it have to do with the presence of a "wrapper" (I've seen
> that word at times in articles / discussions about cgi engines) ?
> - are there any safety measures to take to prevent that ?
>
> And as for permissions : I know that the right permissions have
> to be set to mc-cgi scripts and text files used by those scripts, but
> have the feeling that there must be some specific other permissions to
> set in the Apache configuration to allow mc-cgi scripts to be triggered
> by external requests... If yes, can those permissions be set for one
> domain name only ?
>
> More on this issues, please...