LISTSERV - HP3000-L Archives

HP3000-L Archives

October 1997, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 1997, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: MPE commands via the web
From:	Andreas Schmidt <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 2 Oct 1997 09:32:43 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (66 lines)

Mark, many thanks for your hints.
You're right: the only thing which is currently forbidden is a PURGE ...
But this script runs only on a crash&burn environment on the Intranet and
was only designed for test purposes to show some people what is possible on
MPE ...
It was introduced into HP3000-L as an idea how a solution for the original
problem (print spoolfiles in Intranet) could look alike.

Nevertheless: all people should read your warning before installing
something open like this!

Best regards, Andreas Schmidt, CSC





markb @ spock.dis.cccd.edu
01-10-97 07:07 PM


Please respond to [log in to unmask]

To:   Andreas Schmidt/HI/CSC
cc:   HP3000-L @ RAVEN.UTC.EDU
Subject:  Re: MPE commands via the web




Andreas Schmidt writes:
> I already have a little cgi-bin script on the HP3000 running the free
NCSA
> web server (thanks Lars!) what executes out of a little form any MPE
> command (but some not ...;-).
>
> The only issue is: security!
This script has two bad features from a web security point of view:
1) It takes the approach of that which is not forbidden is allowed.  Clever
hackers could do bad things to your system with commands you haven't
realized
are dangerous.  A safer philosophy is that which is not allowed is
forbidden.
Safest of all would be to have your script only recognize your own
meta-commands like "displaystatus", etc, that your script would then map to
the
appropriate MPE commands.
2) You're not removing all shell metacharacters from the command and
parameters immediately before any other processing.  By inserting the
proper
malicious shell metacharacters into the QUERY_STRING, I can probably
execute
any MPE or sh command that I want to and you won't be able to stop me
unless
you have removed these metacharacters prior to processing.  These
metacharacters offer much shell programming power, but do represent a major
security hole on many web sites.
<skipped the script>
--
Mark Bixby                      E-mail: [log in to unmask]
Coast Community College Dist.   Web: http://www.cccd.edu/~markb/
District Information Services   1370 Adams Ave, Costa Mesa, CA, USA
92626-5429
Technical Support               +1 714 438-4647
"You can tune a file system, but you can't tune a fish." - tunefs(1M)

ATOM RSS1 RSS2

RAVEN.UTC.EDU