Yes, but the apache server has only access to CGI programs residing in
libraries
that has been preconfigured trough directives in the httpd.conf file that
ofcource is
protected by an directive that is hidden

It dosn't have any other access to any other recources in /root/qsys.lib/

On Tue, Apr 12, 2011 at 11:33 PM, John Jones <chianime@xxxxxxxxx> wrote:

"Which is entirely read-only. "

Actually, it is not. From the 7.1 InfoCenter:

The QTMHTTP1 user profile is the default user profile that HTTP Server uses
when running CGI programs. This user profile must have read and execute
authority to the location of any CGI program. User QTMHHTTP requires *RWX
(write) authority to directory '*/tmp*'.

You can optionally specify that the QTMHHTTP or QTMHHTP1 user profile swap
to another user profile as long as that user profile has the required
authorities.

- *RX authority for root directory ("/ ") and directory "/www", including
all subdirectories in the path
- *RWX authority for directory "/www/server_name/"


On Tue, Apr 12, 2011 at 2:09 PM, Joe Pluta <joepluta@xxxxxxxxxxxxxxxxx
wrote:

On 4/12/2011 1:17 PM, John Jones wrote:
If I, with my mad haxxor skillz, can uncover& exploit a flaw I might
gain
access to the underlying server (probably by running shell commands
within
the web server or by running a shell directly). Most likely not as
Administrator/root/QSECOFR but as the user running the web server.

It's mad simple to provide zero update access to the default user
profile. Especially on the i, where you can adopt authorities as
necessary.

Now take two scenarios:
1. Consolidated environment: I am free to exploit the authority of the
profile the web server is running on.

Which is entirely read-only. Thanks for playing our game!

And if you set up an environment where a web user profile can alter the
server configuration you probably should consider another line of work.

Joe
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.




--
John Jones, CISSP
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.





This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].