[icecast-dev] [PATCH] is it of any interest ?
Jerome Alet
alet at unice.fr
Wed Nov 7 07:44:22 PST 2001
On Wed, 7 Nov 2001, Jack Moffitt wrote:
> > of course this is not secure at all yet, but anyway maybe it's useful to
> > someone as a starting point.
> >
> > any comment ?
>
> I recommend that _no one_ run this patch on any server. It allows
> execution access to any file on the system as the user that icecast is
> run as. This is a surefire way to get yourself hacked to hell.
You're perfectly right of course !
This was just a try, if you put this on a production server you should be
shot dead immediately ;-) and that's why I didn't post it to
icecast at xiph.org !
Please consider this as a starting point, it was a 30 minutes hack without
knowing any of icecast internals. I even don't know how popen behaves in
a heavily multithreaded application.
> cgi's need to be run from a certain directory only.
yes, but I didn't want to put it in /static/ and I didn't want to
add an entry to the config file just for testing.
a new cgi-dir entry in icecast.conf would be fine, and if unset it would
be completely deactivated for security reasons.
maybe a cgi-user and a cgi-follow-symlinks entries would be fine too.
> You shouldn't allow arbitrary files to be executed. Also you need to
> pass a modified environment to the script in order for this to be real
> CGI.
Yes, the following test program was used and may prove to be useful in
testing such a functionnality :
--- CUT ---
#! /usr/bin/python
import cgi
cgi.test()
--- CUT ---
Are you interested in me trying to make it more secure or do you prefer to
let other servers (Apache) handle this sort of things and stop now ? Again
this was just a quick hack and I don't mind putting it in the trashcan.
bye,
Jerome Alet
--- >8 ----
List archives: http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-dev-request at xiph.org'
containing only the word 'unsubscribe' in the body. No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.
More information about the Icecast-dev
mailing list