Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate

Re: Command line prompt through apache?

Ted Powell (ted@eslvcr.fireplug.net)
Sat, 14 Feb 1998 12:33:30 -0800

On Sat, Feb 14, 1998 at 09:09:48AM -0800, Andrew Derry wrote:
> Does this sound a little far fetched to you? It does to me..
>
> Someone at work yesterday was trying to convince me that _any_ web server
> is like an open invitation to hackers.. he was saying things like "just go
> on the net and look, and you'll see ways to get a command line prompt
> through any unix web server..."

If there's a CERT advisory on this, have him give you a reference to it.
If there isn't, then it's his duty as a netizen to report it to them.

I predict that his reaction will be on a par with that of "alien
abduction" believers who are challenged to make formal reports of
kidnappings to the FBI.

Your "informant" makes a rather strong claim when he says "any unix web
server"--which I would take to include servers which provide only HTML
pages, with no forms, no CGI, etc.

By using forms and CGI it is of course possible to _deliberately_ provide
a command-line facility, and it may be that a page builder application
exists somewhere that generates pages with an exploitable weakness,
but his claim is too broad to be plausible.

It may be that he knows of a vulnerability which, although less widespread
than his claim, is nonetheless real. If he keeps it to himself, he's
part of the problem.

Command Line Prompt Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate

Command Line Prompt

bash$ _

-- ted@psg.com http://psg.com/~ted/ (Ted Powell) N.B. I have closed the ted@wimsey.com account. If you believe everything that skeptics tell you, you aren't listening to what they're saying.