Hi,I've stumbled accross a peculiar problem with httpd apache 2.0.47 on solaris 9 at my other working place:
the configuration includes a cgi-alias and an appropriate directory directive to execute cgi programs (perl scripts in our case, but that's irrelevant).
All is well if the name of the file to execute does not exist on any other PATH defined by the server on startup. If the file to execute exists on one of the paths in the PATH environment, THAT will be run instead of the one in the cgi-bin directory. By using truss, we've taced the exact processing of data:
apache recieves the request, searches for the file in the given cgi directory, if found, it changes to the cgi-bin directory. Then it calls execve with JUST the name of the file to execute. Solaris execve, however, starts checking the PATH variable for the executable. If it finds anything with the same name in one of the paths, THAT is executed, regardles of the fact that the httpd had changed to the cgi-bin directory. This is because the PATH does not include '.' as the first element.
The fix would be very simple: call execve with the full path and name.I consider this a security bug, as we definitively want to execute just that file, not anyhting else.
Unfortunately, I'm not able to install the latest version of apache, as I don't have any solaris box around here and I'm not allowed to install anything at the other working place.
Has anyone had the same problem? Robert Departement Informatik FGB tel +41 (0)61 267 14 66 Universität Basel fax. +41 (0)61 267 14 61 Robert Frank Klingelbergstrasse 50 Robert.Frank@xxxxxxxxx CH-4056 BaselSwitzerland http:// www.informatik.unibas.ch/personen/frank_r.html
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx