| View previous topic :: View next topic |
| Author |
Message |
TheLinker
-
Joined: 05 Apr 2002
Posts: 165
Location: Oslo, Norway
|
 Posted: Tue Feb 18, 2003 9:17 pm Post subject: CGI Parameters |
 |
|
In the control panel > Home > Server Configuration > Advanced > CGI Parameters , there are two settings regarding the interpreter resolve...
Resolve interpreter using the Windows Registry and
Resolve interpreter using the script's #! line
Are these variables used at all ?? Because interpreter resolvement is done by setting the CGI Interpreters section right below... or am I missing something here ?? :) |
|
| Back to top |
   |
 |
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Thu Feb 20, 2003 12:31 am Post subject: Re: CGI Parameters |
|
|
| TheLinker wrote: | In the control panel > Home > Server Configuration > Advanced > CGI Parameters , there are two settings regarding the interpreter resolve...
Resolve interpreter using the Windows Registry and
Resolve interpreter using the script's #! line
Are these variables used at all ?? Because interpreter resolvement is done by setting the CGI Interpreters section right below... or am I missing something here ?? :) |
Yes, they can be all used to know how a CGI script should be run. Please refer to the User's Guide (CGI chapter) for a complete description on how the server uses these parameters.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
TheLinker
-
Joined: 05 Apr 2002
Posts: 165
Location: Oslo, Norway
|
| Posted: Thu Feb 20, 2003 10:34 am Post subject: Re: CGI Parameters |
|
|
| aprelium wrote: | | Yes, they can be all used to know how a CGI script should be run. Please refer to the User's Guide (CGI chapter) for a complete description on how the server uses these parameters. |
Yes, I did read the "How are they run?" section of the CGI chapter... and saw the sequence of finding a suitable interpreter... but I wasn't sure if their functionality was enabled... or even needed. :)
I think all interpreter resolvement should be done only from the application ini file... that gives most control and overview for the available interpreters.
I noticed that those options is by default set to No... maybe they should be removed ?? |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Thu Feb 20, 2003 8:29 pm Post subject: Re: CGI Parameters |
|
|
| TheLinker wrote: | | aprelium wrote: | | Yes, they can be all used to know how a CGI script should be run. Please refer to the User's Guide (CGI chapter) for a complete description on how the server uses these parameters. |
Yes, I did read the "How are they run?" section of the CGI chapter... and saw the sequence of finding a suitable interpreter... but I wasn't sure if their functionality was enabled... or even needed. :)
I think all interpreter resolvement should be done only from the application ini file... that gives most control and overview for the available interpreters.
I noticed that those options is by default set to No... maybe they should be removed ?? |
Finding the CGI interpreter using the #! line is an industry standard. Many people expect to have that feature especially when they come from a Unix background. It is also useful when you want to pass arguments to your interpreter (for example, when running perl in the tainted mode with #!perl -t )
The other option is needed also in some cases. ActivePerl for example associates .pl with the perl executable. In case you don't set it in the CGI interpreters table, the server can still find that .pl are run by perl.exe .
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
TheLinker
-
Joined: 05 Apr 2002
Posts: 165
Location: Oslo, Norway
|
| Posted: Sat Feb 22, 2003 9:32 pm Post subject: Re: CGI Parameters |
|
|
| aprelium wrote: |
Finding the CGI interpreter using the #! line is an industry standard. Many people expect to have that feature especially when they come from a Unix background. It is also useful when you want to pass arguments to your interpreter (for example, when running perl in the tainted mode with #!perl -t ) |
I know perl scripts usually have a #! topline and can be executed from this information... but should these scripts be allowed to run in CGI mode ?? Isn't this a security risk ?? If someone changes the topline to e.g. #! Format C:\ , or something like that ?
| aprelium wrote: |
The other option is needed also in some cases. ActivePerl for example associates .pl with the perl executable. In case you don't set it in the CGI interpreters table, the server can still find that .pl are run by perl.exe . |
Hmm... well, I still think all configuration regarding the web server should only be available from it's own config file. Depending on some weird registry setting (okey, I don't like that registry thingy in Windows too much) makes the total server configuration a little more difficult to follow.
But... those two switches are always OFF on my web server, so I guess it doesn't matter to much... :) |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Sun Feb 23, 2003 1:00 am Post subject: Re: CGI Parameters |
|
|
| TheLinker wrote: | I know perl scripts usually have a #! topline and can be executed from this information... but should these scripts be allowed to run in CGI mode ?? Isn't this a security risk ?? If someone changes the topline to e.g. #! Format C:\ , or something like that ?
|
This couldn't be considered as a security risk since the user is fully responsible of what their files contain.
By the way, if the user puts some weird things in the #! line, Abyss Web Server will complain.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
TheLinker
-
Joined: 05 Apr 2002
Posts: 165
Location: Oslo, Norway
|
| Posted: Sun Feb 23, 2003 11:33 am Post subject: Re: CGI Parameters |
|
|
| aprelium wrote: | This couldn't be considered as a security risk since the user is fully responsible of what their files contain.
|
Well, who are the users then ?? :-) If my site allows my users to upload their own php and perl scripts, they are the users now... they can even upload some weird executable to follow the script and by that creating a security risk, or ??
| Quote: |
By the way, if the user puts some weird things in the #! line, Abyss Web Server will complain. |
But what are weird things here ?? ... If my users upload a script called mytest.xyz, and with that script an 32bit console application called mytest.exe... now, in the topline of the script it says #! ./mytest.exe. Will Abyss complain about this ??
btw: I don't have any computers available where I'm located right now, so the above statements are of course just theories... otherwise I would have tested it myself. |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Mon Feb 24, 2003 1:08 am Post subject: Re: CGI Parameters |
|
|
If you allow people to upload scripts to your web space and to remote execute it, this is your job to track security issues. Abyss Web Server can't take your place and judge if some action is bad or not (that's why administrators exists I guess :D )
If you are in a such an environment, the better is to disable these options, especially if you aren't the only "user".
Abyss Web Server, as any server software, assumes that it is the admin job to tune the options in order to meet his security requirements. It offers as much options as possible, but you should benefit from some of them and disable ones that can lead to problems.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
TheLinker
-
Joined: 05 Apr 2002
Posts: 165
Location: Oslo, Norway
|
| Posted: Tue Feb 25, 2003 8:02 pm Post subject: Re: CGI Parameters |
|
|
| aprelium wrote: | | If you allow people to upload scripts to your web space and to remote execute it, this is your job to track security issues. |
I agree with you on this one... :)
| Quote: | | Abyss Web Server can't take your place and judge if some action is bad or not (that's why administrators exists I guess :D ) |
I agree with you even more on this one... :D
| Quote: |
If you are in a such an environment, the better is to disable these options, especially if you aren't the only "user". |
I think most users goes with the default settings anyway, so it should not be a security risk... still, CGI executing has always been considered one of the most "dangerous" operations on a web server...
| Quote: |
Abyss Web Server, as any server software, assumes that it is the admin job to tune the options in order to meet his security requirements. It offers as much options as possible, but you should benefit from some of them and disable ones that can lead to problems. |
I guess that's where I disagree with you alittle... :wink: I don't like having to many possibilities on how CGI can be executed... so I hope those switches works 100%.. 8) |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Wed Feb 26, 2003 1:32 am Post subject: Re: CGI Parameters |
|
|
| TheLinker wrote: |
I guess that's where I disagree with you alittle... :wink: I don't like having to many possibilities on how CGI can be executed... so I hope those switches works 100%.. 8) |
If you do a fresh installation of a new version of Abyss Web Server, you will notice that these "dangerous" options are off by default. By default, the user has the most secure CGI settings.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
|
