[users@httpd] Re: CGI runs wrong program - security issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Robert Frank wrote:
> Hi,
> 
> I've stumbled accross a peculiar problem with httpd apache 2.0.47 on  
> solaris 9 at my other working place:
> 
> the configuration includes a cgi-alias and an appropriate directory  
> directive to execute cgi programs (perl scripts in our case, but  
> that's irrelevant).
> 
> All is well if the name of the file to execute does not exist on any  
> other PATH defined by the server on startup. If the file to execute  
> exists on one of the paths in the PATH environment, THAT will be run  
> instead of the one in the cgi-bin directory. By using truss, we've  
> taced the exact processing of data:
> 
> apache recieves the request, searches for the file in the given cgi  
> directory, if found, it changes to the cgi-bin directory.
> Then it calls execve with JUST the name of the file to execute.  
> Solaris execve, however, starts checking the PATH variable for the  
> executable. If it finds anything with the same name in  one of the  
> paths, THAT is executed, regardles of the fact that the httpd had  
> changed to the cgi-bin directory. This is because the PATH does not  
> include '.' as the first element.
> 
> The fix would be very simple: call execve with the full path and name.
> 
> I consider this a security bug, as we definitively want to execute  
> just that file, not anyhting else.
> 
> Unfortunately, I'm not able to install the latest version of apache,  
> as I don't have any solaris box around here and I'm not allowed to  
> install anything at the other working place.
> Has anyone had the same problem?
> 
> Robert

Have not had the same problem...  However, it sounds like you can deal
with it via the Apache SetEnv and UnsetEnv directives.  In your
configuration file (or even a local .htaccess if they allow it) you can
unset the PATH and then set it to what you want.  See

  http://httpd.apache.org/docs/2.0/mod/mod_env.html
  http://httpd.apache.org/docs/2.0/env.html

for more information.  This is actually a pretty good thing to do in
general to tighten up security.  Note also that Perl allows you to do
the same thing, so there might be an opportunity to limit things further
down the process.  (I won't ask why you have tools named exactly the
same as some tool in Solaris...).

hugh

-- 
 Hugh Williams                  "There are two things to aim for in life;
 hugh_williams@xxxxxxxxxxx       first, to get what you want; and after that,
 Agilent Technologies            to enjoy it.  Only the wisest of mankind
 Santa Rosa 2US-C                achieve the second."
 707.577.4941                         - Logan Pearsall Smith, 1931

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux