Post Friends My journal
baxil

Daily Random Thoughts

Jan 30, 2009 08:45

(via LoudTwitter)

  • 11:34 Things you DON'T want to see on the "secure" webserver, part 1 in a series: "-rwxrwxrwx 1 root other 95 Jan 21 2003 test.cgi*" #
  • 12:58 Question: Did I once accidentally start a movement while I wasn't looking? is.gd/hIZ3 predates the LJ appliance_kin comm by 2 months. #

140 characters

Leave a comment

Comments 2

packbat February 1 2009, 01:00:20 UTC
Okay, I'm not really up on UNIX file permissions - is that a script with root privileges that anyone can run? And edit?

Reply

packbat February 1 2009, 01:23:16 UTC

That is a CGI that is owned by root, but it is not setuid root, so it is not granted the privileges of root when run. (If it were, it would have "rws" in the first position.) CGIs that are owned by root generally run under the user ID of the webserver process. It is still world-writable, which is still bad, because it means anyone on the local host who can access that file at all and who can cause a request to be made to that CGI can cause the webserver to run arbitrary code.

Reply

Leave a comment

Up
Homepage Read journal... Full version Help Русская версия
© 1999-2025 LiveJournal, Inc.