[users@httpd] CGI runs wrong program - security issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I've stumbled accross a peculiar problem with httpd apache 2.0.47 on solaris 9 at my other working place:

the configuration includes a cgi-alias and an appropriate directory directive to execute cgi programs (perl scripts in our case, but that's irrelevant).

All is well if the name of the file to execute does not exist on any other PATH defined by the server on startup. If the file to execute exists on one of the paths in the PATH environment, THAT will be run instead of the one in the cgi-bin directory. By using truss, we've taced the exact processing of data:

apache recieves the request, searches for the file in the given cgi directory, if found, it changes to the cgi-bin directory. Then it calls execve with JUST the name of the file to execute. Solaris execve, however, starts checking the PATH variable for the executable. If it finds anything with the same name in one of the paths, THAT is executed, regardles of the fact that the httpd had changed to the cgi-bin directory. This is because the PATH does not include '.' as the first element.

The fix would be very simple: call execve with the full path and name.

I consider this a security bug, as we definitively want to execute just that file, not anyhting else.

Unfortunately, I'm not able to install the latest version of apache, as I don't have any solaris box around here and I'm not allowed to install anything at the other working place.
Has anyone had the same problem?

Robert


Departement Informatik   FGB   tel   +41 (0)61 267 14 66
Universität Basel                          fax. +41 (0)61 267 14 61
Robert Frank
Klingelbergstrasse 50                 Robert.Frank@xxxxxxxxx
CH-4056 Basel
Switzerland http:// www.informatik.unibas.ch/personen/frank_r.html




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux