On Fri, 22 Oct 1999, Stephen Turner wrote:
> On Fri, 22 Oct 1999, Stephen Turner wrote:
>
>>> On Thu, 21 Oct 1999, Aengus Lawlor wrote: > >
>>> The documentation says of CGI ON that "You can't choose any options that
>>> way though". This isn't my experience. I just typed in the following URL
>>>
>>> http://<server>/analog/analog.exe?c:\logs\jun.log+c:\logs\jul.log+%2bC"H
>>> OSTNAME+Test"+%2bO-+%2bC"CGI%20ON"
>>>
>>> and got a report for the two logs specified, and with the specified
>>> hostname.
>>
>> Hmmm. It looks as if your server is passing those arguments in on the
>> command line. I didn't think that was normal behaviour, but I'll check on
>> my Apache this evening.
>>
>> In this case, it's a serious security risk. The anlgform.pl filters out
>> certain dangerous arguments. For example, if someone specified HEADERFILE
>> in your example, they could view any file on the system. Don't keep it
>> there!
>
>OK, as far as I can see Apache doesn't pass the arguments. Is this IIS
>doing this?
Yes (IIS3 and IIS4). Isn't it supposed to pass GET parameters like that? I
have an old copy of Netscape FastTrack server, and it also passes the
parameters on the command line, but it's apparently munging them in some
way, because I get an error:
http://<NSserver>/analog/analog.exe?%2bC"HOSTNAME%20Test"
generates these errors:
analog.exe: Warning C: Unknown configuration command: ignoring it:
"HOSTNAME
analog.exe: Warning F: Failed to open logfile Test": ignoring it
I used this ANALOG.CFG for this test:
LOGFILE c:\logs\*.log
CGI ON
OUTFILE stdout
ERRFILE error.txt
(The NS logfile only captured the last line of STD err - ERRFILE helped a
great deal. I also tried to escape the " to %22. Analog is definietly getting
the arguments, it's just confused about them).
>At this moment, I'm minded to remove the CGI command from analog altogether,
>and only allow CGI access via anlgform.pl. This is in some ways less
>convenient, but I don't think I can advertise a feature when it's very
>likely to be set up as a security risk.
Does this just mean taking the "Content-Type: text/html;" line out of the
EXE, and having the script create it? Or would it entail more extensive
changes? How about just disabling HEADERFILE (and the other dangerous
parameters) if CGI ON is set?
>In fact, it's worse than that. Even if people don't ever find the CGI
>command, they still sometimes put analog.exe in their CGI directory,
>thinking it's somehow a CGI script [*], and they would still be vulnerable
>to this exploit.
>
>Does anyone have any comments on this proposal (to disable the CGI
>command), for or against?
Setting up Analog with the forms interface is definitely confusing
(until you get it working - and then it's all obvious :-). The
simplicity of having analog.exe doing the CGI headers itself is very
attractive, but it definitely opens a can of worms!
Aengus
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------
