CGI and DestroyStack property

LiangTyan Fui mlist at afteroffice.com
Fri Apr 28 23:28:05 CDT 2006 

On Apr 29, 2006, at 8:28 AM, J. Landman Gay wrote:

> Tariel Gogoberidze wrote:
>
>>> You can do it if you keep the stack somewhere else outside of the  
>>> CGI
>>> folder, but I hear that can be a security risk (though I'm not  
>>> sure how
>>> exactly, but someone wrote me once with very strong opinions  
>>> about it.)
>> Probably because it opens the door to what's usually called  
>> "executing arbitrary code on remote computer" :)
>
> Right, that's what they said, but I don't see how it could be done.  
> The CGI would only write specific data to a specific stack, and  
> there isn't any way to make it behave differently by sending  
> commands to it. As long as your CGI only operates on valid input,  
> how could someone execute code?
>
> The only way a CGI could be misused that way is if it contained a  
> line of script like:
>
>   do the params

It is rather safe to use the "do" command here. I haven't come across  
any crackers does xTalk, yet ;)
It is even safer if you:
   set secureMode to true -- all access to file system and other  
system resources is disabled.
if you don't really need to read/write files.

My greater fear are the shell() command and the file path system. If  
you pipe the parameter directly to the shell() command, you are in  
great risk. Also, if you would allow the browser end to specify  
resources thru the path name (like /myfolder/myfile.txt), the risk of  
exposing other files will be there (cracker may specify something  
like ../../../known-system-file).

MetaCard engine is rather safe to use as CGI. Just like php/perl/ 
java. It is the application that opens the loophole. I've got people  
hacked into my development server via mambo* loophole (developed on  
php), I can only blame myself on not getting mambo up to date, there  
is really nothing to do with php and mysql.

* http://www.mamboserver.com/

-- 

>
> which would be a really stupid thing to include. I can't think how  
> a MC CGI could be abused without something like that in it.
>
> -- 
> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
> _______________________________________________
> metacard mailing list
> metacard at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/metacard

More information about the metacard mailing list