Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cgi script calls cmd.exe security impact

Status
Not open for further replies.

winston6071

Programmer
Nov 22, 2000
52
AT
Hello!
What would be the security impact if we would create a user group for some domain users and give this group access rights to the local "cmd.exe" which is called by an cgi application for doing some conversions in background ?

We tried this with the IUSR.... it worked, but the Admin for this page wants to have the Integrated windows authenticaton enabled and then its not working anylonger, cause the users has to less rights for this kind of call.

With enabling the IWA, the application is runnning, but only if the users getting local access rights to the "cmd.exe".

are we thinking paranoid or is there a nice recommended way how to solve this kind of issue correctly.

thanks in advance
 
Allowing the use of CMD.EXE especially accessible through CGI is an incredibly large security hole. If you need to perform "background conversions" (don't really know what this entails), but can't you set this up to run as a scheduled task entirely separate from your web environment.

If you really do need this functionality, I would start by renaming CMD.EXE to something else that is less obvious, and secure the file to only allow certain users to run it

Hope this helps
 
thanks for the answer, yes this is exactly what i thought but i do not really know the impact would be to allow it in this way, cause how would someone access this cmd.exe...

anyhow i am not a hacker so they know it for sure :)

scedule, thats what we do already for the time someone knows a better solution.

if you or someone else knows more details about how someone would use this "whole" i would be interested in it to understand this thing, especially to understand how an application should be secured on a IIS.
 
thanks for the infos, and yes the sceduled task seems to be a good thing, but the application developper wants to call this file on demand....

What if we create a batch file which will get called from this application. this would theoretically minimize the security impact as well ? does it ?

 
If the batch file calls CMD.EXE this is NOT any safer. If you are running a specific command (without activating the CMD shell) then you best be served by using a VBScript program that will run the command
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top