Shell Simulation Via CGI 337
mischi writes "CGI-Shell simulates a shell using CGI. So everybody who has a CGI-directory on a web-server, also has its own shell on it -- comparable with Telnet or SSH.
That's really practical, because most webhosters don't offer a shell (for free) -- but do offer CGI.
With CGI-Shell you can execute commands, copy files or just explore your webserver. Even a history and auto-completion with tabulator are included.
"
Simulation? (Score:2, Insightful)
Give me a break (Score:3, Insightful)
To Paraphrase Jurrassic Park... (Score:2, Insightful)
Just imaging Jeff Goldblum doing his bug-eyed, the-sky-is-falling scientist bit
--Mid
I had the opposite (Score:5, Insightful)
I once had the opposite problem. About 10 years ago, my ISP gave shell accounts and a web folder, but did not offer cgi. Again, why bother? I got around it rather easily by running my own http server on a non-standard port from my shell account. Then if I wanted to link to a cgi from my web page, I just had to include the ":port" in the URL.
just use xterm. (Score:1, Insightful)
This is news? (Score:4, Insightful)
Such "shell" CGIs have been around for a while.
I don't see why this ad...i mean...story deserves to be posted.
Re:Backdoors (Score:5, Insightful)
Not to be stupid (Score:2, Insightful)
Re:I've used something exatly like this for months (Score:4, Insightful)
Re:Backdoors (Score:3, Insightful)
If you misconfigure this thing, or leave it lying around, or make the password guessable...well, how's this different from having a buggy CGI-script [slashdot.org] or otherwise?
Re:Backdoors (Score:2, Insightful)
But...
I once worked on a machine that had "nobody" with write permissions.
I had to explain to the client that because the web server was working fine, that it didn't mean that the security and permissions were in tact.
The admin (a windows guy) decided that since he kept getting the "permission denied" when any web page was displayed, the best thing to do was to give "all access" permissions to "nobody".
Once again, I explained to him that unlike Windows, permissions on Linux and Unix is a bit more flexible and clearly something that shouldn't be taken lightly -- I got this glazed look, and simply fixed it all for him and told him to leave that box alone "and stick with NT".
A CGI to do shell commands. Another thing to worry about on your customer machines...
no thanks
Its only a problem if your web host is a moron... (Score:2, Insightful)
Speaking as a Web Host [assortedinternet.com] - I wouldn't mind this one bit. We run suEXEC on our servers, so any commands that they execute under this CGI-Shell would run under their own permissions anyhow.
They can do no worse running this script than they can already do on the command line. Since we use fairly tight permissions on the server, there isn't a lot they can do to disrupt things anyways.
A PHP Shell script [gimpster.com] has been around for a while - THAT version can cause some security issues since typically PHP runs as nobody. Then the trick is making sure nobody doesn't have any special permissions that could cause a server issue.
Basically, if your diligent, this script shouldn't cause any more problems than any other CGI script.
Take care,
Brian
--
http://www.assortedinternet.com/ [assortedinternet.com]
Re:Backdoors (Score:1, Insightful)
I highly recommend against anyone setting this up on their servers. BAD IDEA!!!
GREAT! Now people will install these stupid CGI's and then we'll REALLY have an epidemic on our hands. It's bad enough having to deal with Micro$lop and their idiotic security policy.
Is it worse than CGI? (Score:5, Insightful)
My first response was 'you what?'
Over the next few years we saw countless exploits of the form 'add this to the command line arguments, execute an arbitrary command'.
This is one reason why I so hate 'its only like what we do before' type security arguments. What you are already doing may be braindamaged.
People like to complain about IIS security but they fail to acknowledge that the single architectural issue that has led to those exploits is structurally similar to CGI. The game is to persuade a script to execute an arbitrary command.
Apache has had fewer exploits simply because the bugs are attributed to the braindamaged scripts written by the users.
If you want to run a secure Web server the thing to do is to turn off all scripting. Compiling the scripts and linking them into the server as a plug in is a lot more satisfactory as an architectural approach, especially if you have ways to reduce the privilleges of that module to least priv.
Re:Backdoors (Score:3, Insightful)
the user has already the right to run serverside stuff to run this, so what's the problem?
it's not like you should as a webhoster trust the individual users of you to be competent enough to write secure cgi scripts.
i would kinda think that people would be putting passwords on their cgi-shells, otherwise they could just as well give their ftp passes on their page as well.
Violation of principles (Score:3, Insightful)
As others have said, there are so many ways this could be abused, either willfully or by accident. You can make the situation a little bit better by restricting this service to HTTPS sites, certain users or IPs, etc -- but why bother reinventing the wheel when, in the form of SSH (or even Telnet), this is a more or less solved problem?
I do not see this as a good idea for general Geocities styled simple CGI site hosting. It might be useful in certain restricted environments -- your server's co-location facility only allows port 80, but you have VPN access & can usefully tunnel in this way -- but any example I can think of (like the one I just wrote) is pretty contrived & probably full of holes. It is a pretty clever engineering hack, but not one that should probably be released into the wild -- it addresses the wrong problem in the wrong way, albeit cleverly.
No change to the level of security (Score:3, Insightful)
Before this program, you had to write a script like this (for example):
Security VS Convenience (Score:3, Insightful)
Actually what I _really_ wish I could find is a nice, free, secure file transfer program. I use scp but our designer doesn't seem to get it or ssh. I just want a nice gui that he can run on his Mac that is a bit more secure than ftp.
This is what perl's safe mode is for (Score:3, Insightful)
They do, however.
Front Doors, not Back Doors. Admin work! (Score:4, Insightful)
(Obviously if your hosting provider uses a Windows system instead of Unix, the answer to "where are you" is "Probably nowhere interesting", though it can probably be adapted to support Windows command line services as well.)
Re:Backdoors (Score:2, Insightful)