feture request about shellinabox HOT 19 CLOSED

Can you use CGI mode? That's what most people use for this particular use case. 
I just 
added a (very!) simple example on how to use it: 
http://shellinabox.googlecode.com/svn/trunk/shellinabox/cgi-mode-example.sh

the problem with that solution is that the program is still running even when i 
close
the session.
In daemon mode only one instance is running.
the best solution is if i could pass parameters to the daemon as a part of the
opening session.
for example http://127.0.0.1:4200?cmd=ls will run ls command.

The daemon doesn't know whether you closed the session, or whether your browser 
is
just really slow to send requests. So, it'll wait a little longer to see if new
requests arrive. If you check again after a minute or two, you'll see that the 
daemon
has terminated.

In general, passing commands in the URL is a very bad idea. This would allow 
anybody
to run arbitrary commands on your computer. Even worse than that, this allows 
attacks
from outside your firewall, too. All an attacker needs to do is trick you into
viewing an HTML page that has a hidden link (e.g. in an image, style sheet, or
iframe) pointing to the service inside of your firewall.

They could do this by sending you e-mail with a suitable HTML document, or by
tricking you into visiting a web site that is under their control.

Having said all of that, and while I really don't think you should deploy 
ShellInABox
in this fashion, I do think that there is some value in the session having 
access to
the URL where the service is hosted. I added code that makes this URL available 
as a
new "${url}" variable, which you can access from the service description.

first i want to thank you for all your work.
If i can be more precise with my question, the thing that i want to do is that:
user will enter ip address in text form and then the shellinabox will telnet 
the ip.
the ip will pass with a POST method.
right now i use a little script that ask for the ip from the user only when the 
new
window open with a shellinabox .   

TNX again
Guy

Does that "${url}" parameter allow you to do what you want, or do you still 
need 
changes. This was a little unclear from your last message.

The "${url}" parameter does not solve my problem.
If i need to telnet 100 server then i need to create 100 urls and if new server 
is
create then i need to add new url.
Does i do something wrong ?

No wonder you are not happy. You only had half the changelist.

You could have made this work, if you had full control over your DNS server. 
Create a 
wild card A record for the machine that hosts ShellInABox. Then encode your 
target 
addresses in the hostname.

But of course, a much easier way is to encode the target address as 
http://my.domain:4200/?target. You then want a service description of the form

"/:$(id -u):$(id -g):HOME:"'/bin/bash -c "u=${url}; exec telnet 
\"\${u##*\\?}\""'

This should now work with the code that is in SVN.

sorry for my late answer.
The solution work great :-)
thanks.

I still have minor problem, when i try to add the parameter trough
/etc/default/shellinabox (ubuntu 9.04) its fail .
the problem is that the parameter pass as 2 commands, before the "-c" and 
another after.
do you have any idea ? 

Just make sure you add some shell escaping:

SHELLINABOX_ARGS="${SHELLINABOX_ARGS} -s /telnet:$(id -u):$(id 
-g):HOME:/bin/bash\ -c\ 
u=\\\\\'\\\${url}\\\\\'\;'exec\ telnet\ \\\${u##*\\\?}'"

Alternatively, if this is too complicated, you could always write a wrapper 
shell 
script that just takes one argument. That would make escaping much easier -- or 
even 
unnecessary.

Issue 37 has been merged into this issue.

Just to get your opinion:

I'm using this service description:
shellinaboxd -s "/:$(id -u):$(id -g):HOME:"'/bin/bash -c "u=${url}; exec `cat 
/home/myuser/myfolder/\${u##*\\?}.cmd`"'

And I access it like http://192.168.0.1:4200/?file and I have the SSH command 
inside file.cmd, for instance.

My doubt is: is there any way a user could inject commands inside the URL, 
without being explicitely inside 
my cmd file? I don't see the way, so I'd like to know if you can see any.

Thanks.

I'd be a little worried about somebody putting things like ../ into the URL in 
order 
to make ShellInABox read arbitrary files in your file system -- or even worse, 
if your 
machine has user-writable directories mounted, it would allow an attacker to 
run 
arbitrary code as a privileged user.

Agreed.

I could put only the part after "ssh" in the command file or, even better, 
create a wrapper file which calls the 
command file only IF it is allowed (allowed = isin `ls /home/myuser/myfolder/`).

I need some help with the cgi script. I wouldn't call myself new, but I dont 
get it.

First off the description is a cgi script, which instinctively make me think 
PERL. 
But this example is bash.

Secondly I dont understand what the expected user experience is.  Do they, 
browse to
my website whatever.com/cgi_mode.sh  and it will execute shell in a box?

I feel dumb, i just got it working guys. But my next question is long winded.

Currently I am running shellinabox via an apache proxy. I did this to ensure 
that it
was passing through my apache's manditory https connection. I think this is more
secure than running shellinabox on it's own, no?    Ok so shellinabox is config 
to
only allow local host, thus if I'm to connect to it remotely I must go through 
apache
https proxy.

Now when using this cgi script, it sounds to me like it spawns on a different 
port..
or does it pass through apache?  

I want the cgi-script to I can tie it into my php's session authentication but 
I dont
want it running on an unencrypted connection.  I want both, user auth + ssl

how can I throw 2 parameter through the url ? 
let say we have ?id=11&act=rename

it will detect 11%20rename 

how can i pass username and password in url so tht i dont need to ask user for 
username n password

> how can i pass username and password in url so tht i dont need to ask user 
for username n password

+1. I also have this request. Is there any solution?

To: [email protected]

Could you please tell how we can use your script (for using shellinabox in CGI 
mode)from a php file. In fact, I have a web application and I want every time 
to specify which host to connect to every time a user wants to connect to his 
machine, and then return the terminal to him in another window. In brief, I 
don't know how to make the script and php to interact whith each other, to make 
the app take the result rendered by the script.

Thank you in advance !!