Re: htaccess with apache

[Lucas Holt <luke () foolishgames com>]

On Nov 4, 2003, at 2:38 PM, A.D.Douma wrote:

> Hello,
>
> I had a similair problem with a cgi script that used a <input 
> type='hidden'
> name='success' value=succes.'html'> to point the clients browser to the
> "transaction complete page".
>
> Because of this an attacker could read every file on the webserver. 
> Luckily
> the /etc/passwd file was shadowed. My question is what else could an
> attacker do? Would command execution be possible?
>
> Thanks

Yes as the user the webserver is running as.  For example, I did an 
audit at my former employer once.  I got into the webserver through a 
CGI called Mailman (endymion)  which is a pop3 mail checker.  The 
template code had a bug.  I was able to execute programs and see the 
results.. ps, ls, cat, etc.  My boss ran all services as nobody like a 
moron.  Basically i could access most files on the system because he 
made sure read access was available to all the services "in case they 
needed them."  Sadly, i worked for an ISP.

Lucas Holt
Luke () FoolishGames com
________________________________________________________
FoolishGames.com  (Jewel Fan Site)
JustJournal.com (Free blogging)

"Only two things are infinite, the universe and human stupidity, and 
I'm not sure about the former."
- Albert Einstein (1879-1955)