CGI and DestroyStack property

[J. Landman Gay]

LiangTyan Fui wrote:

> It is rather safe to use the "do" command here. I haven't come across 
> any crackers does xTalk, yet ;)

True, but when we take over the world you will change your mind. ;)

> It is even safer if you:
>   set secureMode to true -- all access to file system and other system 
> resources is disabled.
> if you don't really need to read/write files.

Good point. Tariel needs to write to files though.

> 
> My greater fear are the shell() command and the file path system. If you 
> pipe the parameter directly to the shell() command, you are in great 
> risk. Also, if you would allow the browser end to specify resources thru 
> the path name (like /myfolder/myfile.txt), the risk of exposing other 
> files will be there (cracker may specify something like 
> ../../../known-system-file).

Right. I think if a CGI does that, the author gets what he deserves. For 
most CGIs that I have seen, people want to do a specific task like this 
one, writing data to a stack. I don't think there is much danger with 
that, even if the stack is outside the CGI folder. There are no path 
parameters involved -- that would be written into the CGI, so hackers 
wouldn't even know the stack exists or what its file path is. I can't 
see how it could be hacked.

> 
> MetaCard engine is rather safe to use as CGI. Just like php/perl/java. 
> It is the application that opens the loophole. I've got people hacked 
> into my development server via mambo* loophole (developed on php), I can 
> only blame myself on not getting mambo up to date, there is really 
> nothing to do with php and mysql.

Scott Raney talked about this once too. He agreed that MetaCard itself 
is very safe as long as you don't do anything stupid with it. The engine 
doesn't allow any misbehavior. To really do bad things, you have to 
write the capability into your scripts.

-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com