You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by fi...@hyperreal.org on 1997/09/19 18:34:28 UTC

Re: mod_cgi/543: "%2F" not allowed in VGI script PATH_INFO

Synopsis: "%2F" not allowed in VGI script PATH_INFO

State-Changed-From-To: open-analyzed
State-Changed-By: fielding
State-Changed-When: Fri Sep 19 09:34:26 PDT 1997
State-Changed-Why:
=========================================================================
It is to prevent a CGI security hole.  Say you had a CGI script that used
the PATH_INFO to select other files (as is the most common use for path
info), and I sent you

      script/..%2F..%2F..%2Fetc%2Fpasswd

(keeping in mind that a person can make multiple requests looking for
just the right combination).  The NCSA server (when we last tested it)
will perform its access checks before unescaping the %2F, and then provide
the script with PATH_INFO="/../../../etc/passwd".

The core Apache server protects against this for its own files, but CGI
authors are, ummm, security-challenged.  Some happily take the PATH_INFO
and open it relative to whatever their script's root document may be.

      dir/../../../etc/passwd

So, Apache does not allow %2F to be in PATH_INFO, which is a legitimate
thing to do given that the server controls the path namespace.

Now, I know that this causes problems with some scripts that depend on
receiving encoded paths (as does a recent version of dienst, for
example).  There are three solutions for such systems:

    1) Don't use path info to pass arguments containing embedded "/"

    2) Modify Apache so that it passes-on the %2F, which technically
       violates the CGI spec and requires the script to be apache-dependent.

    3) Modify Apache so that it doesn't reject %2F, which may make your
       server a security problem.  In that case, I'd recommend continuing
       to reject any occurrence of "..%2F", since that is the main culprit.

=========================================================================

We do intend to fix it using some other method, like replacing %2F with /
before doing any path checks.  However, replacing one security plug with
another is not an easy decision since it requires that someone trace how
the path is being processed throughout Apache, and we simply have had
too many other things to do.

Release-Changed-From-To: 1.2b?-1.2
Release-Changed-By: fielding
Release-Changed-When: Fri Sep 19 09:34:26 PDT 1997