Author Topic: CGI bin  (Read 1435 times)

0 Members and 1 Guest are viewing this topic.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
CGI bin
« on: January 22, 2013, 09:02:04 pm »
I have a Linksys router running DDWRT. I have written CGI script to control GPIO pins on it. I can access this with my smartphone and control the pins the way I want from a webpage the router is serving. My problem is that every time I try to access it, I am asked for username/password. The smartphone will not save this info so I have to punch it in every time. It is not attached to the web and is not something I need secured. Does anyone know how I do this so it doesn't ask for the password?  I tried chmod 777 on everything and it didn't help. The username / password it has to have is the root one.

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13148
  • Karma: 320
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: CGI bin
« Reply #1 on: January 23, 2013, 12:10:55 am »
Is it the web interface that's prompting for the username and password .. or is the web interface displaying a terminal where when you run the command it's prompting for username and password ?

Who is the script owned by ?

Who is the webserver (that serves the web interface) owned by ?

.
« Last Edit: January 23, 2013, 12:14:11 am by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #2 on: January 23, 2013, 05:53:13 am »
The web interface is what asks for the username and password.

I am not sure who the owner of the page is or who it runs as. I will look into that. I am guessing I need to create another page and run the command 'whoami' in the webpage to find out who it is run as. I will guess it runs as user "root".

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13148
  • Karma: 320
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: CGI bin
« Reply #3 on: January 23, 2013, 10:30:45 am »
If it's the web interface that's asking for it, why won't your phones browser remember the login/form details ?

Which mobile browser do you use .. there are plugins for firefox mobile such as:-
https://addons.mozilla.org/en-US/firefox/addon/rememberpass/?src=search
and there may be for yours too.
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #4 on: January 23, 2013, 03:17:50 pm »
I use an iPhone and I saved the shortcut to my main screen. When I click it it pops up in safari. Safari wont save them at all for me. I have changed settings for it and nothing works. I just switched my default browser to chrome and I will see if it retains the passwords for me. Thanks.

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13148
  • Karma: 320
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: CGI bin
« Reply #5 on: January 23, 2013, 03:21:26 pm »
Is there no Firefox Mobile for the iPhobia ?

The Firefox Addon I mentioned will even save passwords for https web pages that pass the autocomplete=off flag to the browser .. autocomplete=off is supposed to tell the browser NOT to remember form data such as passwords.

There may be similar plugins for Safari and Chrome though.

.
« Last Edit: January 23, 2013, 03:27:44 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #6 on: January 23, 2013, 04:25:00 pm »
I tried chrome and for some sites it allows me to save the password, but this one doesn't give me the option to save. Is there a html code I am leaving out of the site that allows the browser to save it? I am not seeing a Firefox for the iPhone. That's a shame if they don't have one, because that is my browser of choice on all of my PC's.

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13148
  • Karma: 320
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: CGI bin
« Reply #7 on: January 23, 2013, 05:16:34 pm »
Try this plugin in Chrome
https://chrome.google.com/webstore/detail/autocomplete-on/ecpgkdflcnofdbbkiggklcfmgbnbabhh?hl=en-AU
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #8 on: January 23, 2013, 07:34:18 pm »
A little clarification here.

There is no form in the webpage that asks for a login. Therefore there is nothing that can be autocompleted from what I can tell.

I even ran a java script on the page and it said there were 0 items to autocomplete.

I am guessing it is a permissions thing. All of the files in this directory including the directory itself have been set to chmod 777. It still requires the root username and password. I don't see any kind of htaccess type of security either. It is in a CGI-bin directory. Is it possible the CGI-bin directory name has some sort of higher security override that cancels my chmod 777? ls -l returns a rwx on everything.


Offline SeZo

  • Hero Member
  • *****
  • Posts: 1415
  • Karma: 118
  • Gender: Male
    • View Profile
    • Awards
Re: CGI bin
« Reply #9 on: January 23, 2013, 09:13:05 pm »
Not knowing much about this, but I would be guessing that you need the username/password to access the router in the first place, not just the specific page?
Have you tried to disable the requirement for this (if at all possible, or even advisable)?
Go to Administration -> Management -> Remote Access.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #10 on: January 24, 2013, 02:38:52 am »
Looks like you can not turn off the username and password settings. Trying to figure out how to find out what user the served webpage is running as....

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #11 on: January 24, 2013, 02:57:58 am »
Looks like everything is running as root users.

Something I did find out though. If I connect to the router and go to the web address of 192.168.1.254 it will go straight to 192.168.1.254/index.asp with no username or password needed. If I try to go to anything else being served it asks for username and password.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #12 on: January 24, 2013, 03:10:36 am »
The directory structure is:

/www/
there is a link in there "user" that points to /jffs/www
I have files in here and I can go to any of these files and not provide the username and pass.
However anything in /jffs/www/cgi-bin/ I am asked for uname/pass.
cgi-bin is listed as drwxrwxrwx root root
Every file inside cgi-bin directory is listed as rwxrwxrwx root root.

Anyone have any ideas. Like I said this is not hooked to internet or any computer. So canning the security is what I want.

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13148
  • Karma: 320
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: CGI bin
« Reply #13 on: January 25, 2013, 01:06:59 am »
Who is the /jffs/www directory owned by ?

and do you know which webserver it's running .. apache ?

.
« Last Edit: January 25, 2013, 01:09:30 am by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline wkellen

  • Jr. Member
  • **
  • Posts: 9
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: CGI bin
« Reply #14 on: January 25, 2013, 03:55:12 am »
That directory is owned by root.

I have no idea what it is. I found a httpd running. I found the httpd file, but no httpd.conf file.

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal