How to prevent the CGI script: cgi-telnet ?(http://www.rohitab.com/cgiscripts/cgitelnet.html)
Users on the server can telnet via a browser via perl commands.

This is a part of the script:

---
#------------------------------------------------------------------------------
# Main Program - Execution Starts Here
#------------------------------------------------------------------------------
&ReadParse;
&GetCookies;

$ScriptLocation = $ENV{'SCRIPT_NAME'};
$ServerName = $ENV{'SERVER_NAME'};
$LoginPassword = $in{'p'};
$RunCommand = $in{'c'};
$TransferFile = $in{'f'};
$Options = $in{'o'};

$Action = $in{'a'};
$Action = "login" if($Action eq ""); # no action specified, use default

# get the directory in which the commands will be executed
$CurrentDir = $in{'d'};
chop($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");

$LoggedIn = $Cookies{'SAVEDPWD'} eq $Password;

if($Action eq "login" || !$LoggedIn) # user needs/has to login
{
&PerformLogin;
}
elsif($Action eq "command") # user wants to run a command
{
&ExecuteCommand;
}
elsif($Action eq "upload") # user wants to upload a file
{
&UploadFile;
}
elsif($Action eq "download") # user wants to download a file
{
&DownloadFile;
}
elsif($Action eq "logout") # user wants to logout
{
&PerformLogout;
}
----

Originally posted by yesyes
How to prevent the CGI script: cgi-telnet ?(http://www.rohitab.com/cgiscripts/cgitelnet.html)
Users on the server can telnet via a browser via perl commands.



You can do it several ways...

1. remove perl from the server (not recommended)
2. Disable execution of cgi scripts through the web browser
3. Remove or restrict execution privileges for the user(s) in question for binaries you don't want executed.

A number of other ways of doing it, but ... if you are going to allow execution of cgi scripts by users, you are going to have to have some level of (verified) trust in your users or spend a lot of time fighting a useless battle with them. If you don't let them execute the programs you have on the server, they can just upload their own copies and run those in many cases.

Thank you very much for your reply.

"3. Remove or restrict execution privileges for the user(s) in question for binaries you don't want executed."

How do I do that ?

Originally posted by yesyes
Thank you very much for your reply.

"3. Remove or restrict execution privileges for the user(s) in question for binaries you don't want executed."

How do I do that ?

you could chmod them to allow only the owner and/or group to execute them. Example: /usr/bin/ping owned by root/root (owner/group) could be chmod to 700 so that nobody but root was allowed to execute it.

You could also set up a chroot environment for the users and only include certain executables (the ones you don't mind if they execute) in it. Keep in mind that you must chroot the user the web server runs as, as well as individual users.

Also remember that neither of these options will prevent a user from uploading their own copy of ping (or other binaries) and running it instead of the one you already had on the server. Unless it is a binary that requires root access to install, you will be largely unsucessful at preventing users from executing something if they really want to. (Which they probably do if they are going to upload a telnet/cgi type of script)

Your best bet, if you don't trust your users and you must allow them ftp/web access, is to dis-allow the execution of cgi altogether, or restrict it to only certain directories such as a global cgi-bin, where you can control what is in that directory, because your users must ask you to install their scripts for them, as they don't have upload or write permissions for that directory.

Don't forget that PHP is capable of running system commands too, depending on how it is configured. By the time you get your server configured to where you don't allow users to run system commands via any method, you might just as well have just kicked all of the users off the server, which would be a lot easier than trying to keep them from doing anything with their account on the server.

As elsmore1 has pointed out, you're basically wasting your time trying to stop this type of thing if you're going to allow your hosting customers CGI access. The best, and only reasonable, form of prevention is a solid AUP specifying what type of script you do not allow. If you then find such a sript you can then remove it/customer for breach of contract.

Writing a CGI script that allows this type of access, or indeed to allow users to read other hosting customers data (and often overwrite it) is extremely trivial and easy on Cobalt RaQs.