general/337: Secure CGI scripts can be run by unauthorized users

[Daniel Little <da...@escape.ca>]

>Number:         337
>Category:       general
>Synopsis:       Secure CGI scripts can be run by unauthorized users
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr  9 01:20:01 1997
>Originator:     danl@escape.ca
>Organization:
apache
>Release:        1.2bX
>Environment:
Solaris 2.5, Apache 1.2b7, gcc, although I think it is a fairly general problem
>Description:
A CGI script is in a password protected area (using .htaccess protection). Theoretically,
a user on the system could create a CGI script that executes the password protected script,
setting the correct environment variables and giving it the correct parameters that ensure
the script cannot detect that it is being run by another script rather than the httpd daemon.
I guess this is just a general problem with CGI security itself, but I wondered if anybody has
had this happen, or if there is any way to ensure that it doesn't happen. My guess is to
ensure that the parent process id of the parent process of the CGI script is the process
id logged to disk when httpd starts. Is this enough?
>How-To-Repeat:
I haven't tried this but I could fairly easily generate it if you need me to. Like I said, it is
just a general concern.
>Fix:
Just make a note in the security docs for Apache that some checking should be done
within the CGI script if it is really meant to be secure. I've not seen anything on this 
anywhere. This is even more critical if the CGI script is setuid so that it has some 
real access to the server. Really, it's probably just one of the many millions of possible
problems that are opened by providing CGI access, even through CGI wrappers
>Audit-Trail:
>Unformatted: