Rev cgi install + potential problem with cgi tutorial

J. Landman Gay jacque at hyperactivesw.com
Thu May 6 20:54:08 CDT 2004


On 5/6/04 5:47 PM, Richard Gaskin wrote:

> J. Landman Gay wrote:
> 
>> I understand your concerns, and they are entirely valid. The 
>> difference is that the Rev engine is internally secure and won't allow 
>> much abuse. I am having trouble thinking of a way that anyone could 
>> remotely hack into it (though I'd very much like to know if anyone 
>> does find one.)
> 
> 
> One could do dumb things like put in a "do" statement that executes 
> incomming CGI params.  But that would be dumb.
> 
> Moreover, if the Linux admin does his job right the worst that could 
> happens is that you'll hose your own account setup but everything else 
> on the machine would be fine.
> 

Right. The tutorial warns against using "do" and "send" this way. But it 
seems to me that this kind of script could run and get you into trouble 
no matter where the engine or the scripts were located, or what their 
permissions were (provided they had the minimum permissions to run at all.)

I can't think of any way to abuse or hack the engine remotely. But I 
really do want to know if putting the Rev engine in the cgi folder 
causes a "hole" in Apache. I can't think how it would, but I'm no Linux 
guru either.

-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com


More information about the use-livecode mailing list