cancel
Showing results for 
Search instead for 
Did you mean: 

Major Security Risk with new cgi server

N/A

Major Security Risk with new cgi server

I think by accident I have found a major security hole in the new cgi server on the webside. I've put a ticket to F9 and I'll give them 24 hours to resolve it! Before making it public.

Of course it may be me and a mistake on my side but I have reprodcued it multiple times with fresh broswers.
10 REPLIES
N/A

Re: Major Security Risk with new cgi server

Quote
I think by accident I have found a major security hole in the new cgi server on the webside. I've put a ticket to F9 and I'll give them 24 hours to resolve it! Before making it public.

Of course it may be me and a mistake on my side but I have reprodcued it multiple times with fresh broswers.


F9 response:
This is a known risk.
More details on this can be found here:
http://www.plus.net/support/webspace/cgi/cgi_faq_new.shtml#21
N/A

Major Security Risk with new cgi server

And the security hole is...
N/A

Major Security Risk with new cgi server

.htaccess does not work when directed to a php file with ? in the url so example/test.php? would let you go straight to the page whilst example/ would ask for a username and password.

This makes it difficult to protect your php admin files!
N/A

Major Security Risk with new cgi server

chmod them all to 700 -

no-one can read them but you, and when they are run they are run under your name. The webserver runs under a different user name which is in your group and it has no access using 700.

Note this only applies to scripts.
N/A

Major Security Risk with new cgi server

sorry misunderstood. Just put some login code in there!!!!
N/A

Major Security Risk with new cgi server

I've been looking at the loggin code for PHP and it is file dependent which means I have to put it in every admin file whilst before I could rely on the htaccess locking the whole folder. I think for the amount of extra it may be easier to find a new ISP who actually cares about its customers.
N/A

Major Security Risk with new cgi server

the current setup which prevents other users' scripts destroying yours prohibits that (as far as I know). Personally i prefer it this way round.

I see your point about the ease of security but adding your own login code is a much better solution imho. The easiest thing is to write some code that is inserted at the top and bottom of all your pages (as includes) to check your credentials and display the page requested.


require ('loginhead.php');
....
your code
...
require ('loginfoot.php');


then login head would be something like

<?php
if (login submit) {
log in if correct credentials
}

if (not logged in) {
do login prompt
on loginsubmit send to $PHP_SELF
} else {
?>

and the login foot would be

<?php
}
?>


its very pseudo but hope that helps.

Jarv
Marteknet
Grafter
Posts: 577
Registered: 13-10-2007

Major Security Risk with new cgi server

Quote
.htaccess does not work when directed to a php file with ? in the url so example/test.php? would let you go straight to the page whilst example/ would ask for a username and password.

This makes it difficult to protect your php admin files!


I don't use htaccess its a pain and has been for a while. Here is a far better way.

Put an index.html file in the directory that kicks browsers to the correct login script if the directory is called e.g.. http://ccgi.username/cgi-bin/example/

Then get all the scripts to pass the username and password across as they are called, starting with the logon page. Include a small script in every script that checks the username and password against your user database and if they don't match then kick the browser over to the login script. It a little basic but it works as every file checks that the user is logged in with the correct password.

The added bonus is that if the script runs then you know the password check runs as well you are not relying on any external stuff (htaccess) to keep things protected.

Hope this helps.

Peter.
N/A

Major Security Risk with new cgi server

isnt that what I said (albeit not very clearly)...?
Marteknet
Grafter
Posts: 577
Registered: 13-10-2007

Major Security Risk with new cgi server

maybe Jarv as i didnt read it clearly as well Wink