newlisp security

Started by eddier, March 24, 2004, 08:17:17 AM

Previous topic - Next topic

eddier

Lutz,



I know I ask for a bunch of stuff, but, could you have a version of newLISP without command line arguments.  I would like to be able to copy the newLISP executable and init.lsp into a cgi-bin without having to worry about crackers using the command line switches to get into our system. Every time their is an update to newLISP, I could upload the new executable into the without pestering our ISP server administrator to install it.



Eddie

eddier

#1
Never mind, our ISP server has everything so locked down it isn't going to work anyway.



Eddie

Lutz

#2
anyway, I will supply an option NOCMD you can stick into the makefile_xxx with -DNOCMD to supress command line switch processing.



Lutz

Lutz

#3
Concerned about security I just tried to abuse cgi by supplying commandline parameters and don't think that it possible when the following rules are followed:



(1) don't allow to calling newlisp directly from the URL. Practicly all webserver installations will not allow this and allow only specific extensions for scripts, like cgi, asp, php etc.



(2) The cgi script must exit when the work is done. Only if the cgi doesn't exit commandline parameters after the cgi file would be excuted.



But even when not following these rules Apache would give an error on my ISP, because it will read the switches as filenames and report a "non existing file" error. newLISP httpd will hang on the missing (exit) in the cgi file and else report a "file type not allowed" taking the command spec as a filename like Apache.



So I don't think there should be any security concerns even when command line switches are enabled.



Lutz

eddier

#4
Thanks.



I tried to put a copy of newLISP directly in the cgi-bin directory and put



"#!/path/newlisp"



where path goes from the root all the way down to cgi-bin as the first line in my script. Appache just gives me internal errors.



Eddie