Rev cgi install + potential problem with cgi tutorial

Fri May 7 04:18:17 EDT 2004

Hi again,

> >
> > One could do dumb things like put in a "do" statement that executes
> > incomming CGI params.  But that would be dumb.
> >
> > Moreover, if the Linux admin does his job right the worst that could
> > happens is that you'll hose your own account setup but everything else
> > on the machine would be fine.
> >
>
> Right. The tutorial warns against using "do" and "send" this way. But it
> seems to me that this kind of script could run and get you into trouble
> no matter where the engine or the scripts were located, or what their
> permissions were (provided they had the minimum permissions to run at all.)
>
> I can't think of any way to abuse or hack the engine remotely. But I
> really do want to know if putting the Rev engine in the cgi folder
> causes a "hole" in Apache. I can't think how it would, but I'm no Linux
> guru either.
>

Although I don't remember every little detail of the installation we did, I'll

try to elaborate on a couple of issues...
One should take 2 things into consideration :

- the risk of having a hacker take the control of the Rev engine and harm
your server is very slim (almost non existent actually), unless your domain
name is ebay or paypal...

- OTOH the risk for a hacker to be able to hijack your server and use it
to harm other servers is increased by installing an executable and its scripts

in the SAME folder, like the cgi-bin. According to what I've been told, that's

how it can cause a security hole  in Apache, and for most server admins it's
always a big NO-NO.
If you are only running your own experiments on your own server, you might
decide to take the risk. But when you install Rev cgi on the server of one of
your
clients for a commercial project (which is what I'm doing now), you really
don't
want to take that risk.

As for our installation :
- the Rev engine has been installed in  /usr/local/bin/  with several
privileges
and group settings, so that the installation can only be modified via a ssh
client,
and not with a ftp client
- the scripts are in the cgi-bin, and can be uploaded via ftp
- when the engine needs to create / delete files & folders, it can be done
only
in a special directory in the html account, and the privileges have been set
so that
creating & deleting files & folders can be done via script only.

Again I don't want to scare anyone. The online cgi tutorial is great and we
can all
thank Jacqueline for writing it. Furthermore Rev cgi is a great tool, and I've
used
it myself for some critical webapps, like locating in realtime on a map cars
in the
desert via GPS data.
But security should be kept in mind when installing it on a server. The Linux
expert
who helped me said that most skilled ISPs would pull their hair when reading
the
installation chapter of the tutorial. That's why I have the feeling that
including
security issues in that chapter might help any of us when trying to convince
our
ISP to install Rev cgi on a server...

Best,
JB