RE: CGI security on a shared web server

From: Beatie, Breck (ISSMountain View) (BBeatie@iss.net)
Date: 05/28/02 

From: "Beatie, Breck (ISSMountain View)" <BBeatie@iss.net>
To: secprog@securityfocus.com
Date: Tue, 28 May 2002 16:52:59 -0400

Hmmm, actually we're all missing the point here. The original post
was not asking how to solve the problem. It was asking
        I don't understand what risks there are to the server and
        machine as a whole, such that the server owner should be
        reluctant to enable this feature. Could someone please tell
        me what are the risks and how are these risks controlled in
        typical "good" use of suEXEC?

I'm probably not qualified to answer these questions but just as a point
for discussion I thought I'd mention a possible risk.

There are vulnerabilities (root access vulnerabilities at that) that
require access to a command line. If the original poster's account
were to be compromised to the point that an attacker could get a command
line running with that poster's privileges then perhaps the attacker
could parlay that access into root access on the machine.

-----Original Message-----
From: H D Moore [mailto:sflist@digitaloffense.net]
Sent: Monday, May 27, 2002 8:20 PM
To: Steffen Dettmer; secprog@securityfocus.com
Subject: Re: CGI security on a shared web server

On Saturday 25 May 2002 10:34, Steffen Dettmer wrote:
> * Kurt Seifried wrote on Thu, May 23, 2002 at 14:05 -0600:
> > One possible solution, assuming you need to write the data but not read
> > it until later is to encrypt it, generate a public/private keypair using
> > pgp/gnupg, load the public key onto the server with your app, have it
> > write the files after encrypting the data. Thus you can retrieve the
data
> > (ftp, www, whatever) and then decrypt it at your leisure and use it.
>
> I don't think that this makes things secure. If the web server
> runs as nobody, the CGI script must be executable for nobody. The
> secret key must be reable for nobody.

I think you missed the point here, what Kurt suggested was that you only
place
the PUBLIC key on the web server and encrypt (not sign) the data you want to

store. When you want access to the data, you download the files and decrypt
them on your local server/workstation/etc. This doesn't prevent someone from

writing bogus data into your file, but it does keep them from reading it.

-HD