Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cgi script calls cmd.exe security impact

Status
Not open for further replies.
winston6071

winston6071

Programmer
Nov 22, 2000
52
AT
Hello!
What would be the security impact if we would create a user group for some domain users and give this group access rights to the local "cmd.exe" which is called by an cgi application for doing some conversions in background ?

We tried this with the IUSR.... it worked, but the Admin for this page wants to have the Integrated windows authenticaton enabled and then its not working anylonger, cause the users has to less rights for this kind of call.

With enabling the IWA, the application is runnning, but only if the users getting local access rights to the "cmd.exe".

are we thinking paranoid or is there a nice recommended way how to solve this kind of issue correctly.

thanks in advance
 
Sort by date Sort by votes
Allowing the use of CMD.EXE especially accessible through CGI is an incredibly large security hole. If you need to perform "background conversions" (don't really know what this entails), but can't you set this up to run as a scheduled task entirely separate from your web environment.

If you really do need this functionality, I would start by renaming CMD.EXE to something else that is less obvious, and secure the file to only allow certain users to run it

Hope this helps
 
Upvote 0 Downvote
thanks for the answer, yes this is exactly what i thought but i do not really know the impact would be to allow it in this way, cause how would someone access this cmd.exe...

anyhow i am not a hacker so they know it for sure :)

scedule, thats what we do already for the time someone knows a better solution.

if you or someone else knows more details about how someone would use this "whole" i would be interested in it to understand this thing, especially to understand how an application should be secured on a IIS.
 
Upvote 0 Downvote
thanks for the infos, and yes the sceduled task seems to be a good thing, but the application developper wants to call this file on demand....

What if we create a batch file which will get called from this application. this would theoretically minimize the security impact as well ? does it ?

 
Upvote 0 Downvote
If the batch file calls CMD.EXE this is NOT any safer. If you are running a specific command (without activating the CMD shell) then you best be served by using a VBScript program that will run the command
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
191
amanua
amanua
justkool
  • Locked
  • Question
Script to switch primary SMTP proxyaddress
Replies
0
Views
135
justkool
justkool
mezta21
  • Locked
  • Question
My iPXE or gPXE does not read my script file on my iscsi target server (Windows Server 2012 R2)
Replies
0
Views
201
mezta21
mezta21
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2012.
Replies
0
Views
158
Bigbadjoe
Bigbadjoe
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2008
Replies
1
Views
137
wtotten
wtotten

Part and Inventory Search

Sponsor

Back
Top