[BlueOnyx:22580] Re: 5209R: CGI-Wrapper working again

Ken Hohhof khohhof at kwom.com
Fri Jan 4 09:33:44 -05 2019 

Depending on which version of formmail.pl, no customer should be allowed to
run that script on their site.  It virtually guarantees that your sendmail
will be used by spammers to relay spam.  It is like a customer putting a
bomb in your office and you take a hands-off approach, refusing to call the
bomb squad because it is a customer bomb.  Just because it's a customer
doesn't mean you have to let them put any vulnerable script they want on
YOUR server.  Would you take the same position if they put malware on their
site, or an unpatched version of Wordpress that will get hacked?  The
customer is not always right.


-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Dirk
Estenfeld
Sent: Friday, January 4, 2019 8:08 AM
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:22579] Re: 5209R: CGI-Wrapper working again

Hello,

it is not my script, it is a customer script. 
Yes I know that there are a bunch of better scripts. But it is not my
position to change customer owned websites.
I have changed the configuration from the wrapper to a ScriptAlias directive
in the apache configuration. So I do not have the error any longer. However
it should  be something like this:

CGIWrap Error: Server UserID Mismatch
CGIWrap Error: Server UserID Mismatch

The userid that the web server ran cgiwrap as does not match the userid that
was configured into the cgiwrap executable.

This is a configuration/setup problem with cgiwrap on this server.
Please contact the server administrator.

Best regards,
Dirk


---

blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel



-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Donnerstag, 3. Januar 2019 19:39
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:22578] Re: 5209R: CGI-Wrapper working again

Hi Dirk,

> hmm, unfortunately it is not working for me. I can name it formmail.pl 
> or formail.cgi, I can place it in cgi-bin directory or on some other 
> place. I always get the ownerchip error message...

Uuuuh. That formmail script? I'd bin it. Like Ken said: If it's what I think
it is, then it's really shitty.

What's the exact error message you get in the browser? I've seen two
different ones now in my tests and I'd like to know which of these you see.

FWIW: I've now found a 5209R where neither *.cgi nor *.pl works, even if
everything is configured correctly (UID, GID, permissions). And that runs
the same version of cgiwrap as the box where at least *.pl works.

So yeah, there is something is fishy with cgiwrap again. Maybe it's related
to a recent OS update. I'll have to dig into that.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list