Robert Frank wrote: > Hi, > > I've stumbled accross a peculiar problem with httpd apache 2.0.47 on > solaris 9 at my other working place: > > the configuration includes a cgi-alias and an appropriate directory > directive to execute cgi programs (perl scripts in our case, but > that's irrelevant). > > All is well if the name of the file to execute does not exist on any > other PATH defined by the server on startup. If the file to execute > exists on one of the paths in the PATH environment, THAT will be run > instead of the one in the cgi-bin directory. By using truss, we've > taced the exact processing of data: > > apache recieves the request, searches for the file in the given cgi > directory, if found, it changes to the cgi-bin directory. > Then it calls execve with JUST the name of the file to execute. > Solaris execve, however, starts checking the PATH variable for the > executable. If it finds anything with the same name in one of the > paths, THAT is executed, regardles of the fact that the httpd had > changed to the cgi-bin directory. This is because the PATH does not > include '.' as the first element. > > The fix would be very simple: call execve with the full path and name. > > I consider this a security bug, as we definitively want to execute > just that file, not anyhting else. > > Unfortunately, I'm not able to install the latest version of apache, > as I don't have any solaris box around here and I'm not allowed to > install anything at the other working place. > Has anyone had the same problem? > > Robert Have not had the same problem... However, it sounds like you can deal with it via the Apache SetEnv and UnsetEnv directives. In your configuration file (or even a local .htaccess if they allow it) you can unset the PATH and then set it to what you want. See http://httpd.apache.org/docs/2.0/mod/mod_env.html http://httpd.apache.org/docs/2.0/env.html for more information. This is actually a pretty good thing to do in general to tighten up security. Note also that Perl allows you to do the same thing, so there might be an opportunity to limit things further down the process. (I won't ask why you have tools named exactly the same as some tool in Solaris...). hugh -- Hugh Williams "There are two things to aim for in life; hugh_williams@xxxxxxxxxxx first, to get what you want; and after that, Agilent Technologies to enjoy it. Only the wisest of mankind Santa Rosa 2US-C achieve the second." 707.577.4941 - Logan Pearsall Smith, 1931 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx