You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by fi...@hyperreal.org on 1997/09/19 18:34:28 UTC
Re: mod_cgi/543: "%2F" not allowed in VGI script PATH_INFO
Synopsis: "%2F" not allowed in VGI script PATH_INFO
State-Changed-From-To: open-analyzed
State-Changed-By: fielding
State-Changed-When: Fri Sep 19 09:34:26 PDT 1997
State-Changed-Why:
=========================================================================
It is to prevent a CGI security hole. Say you had a CGI script that used
the PATH_INFO to select other files (as is the most common use for path
info), and I sent you
script/..%2F..%2F..%2Fetc%2Fpasswd
(keeping in mind that a person can make multiple requests looking for
just the right combination). The NCSA server (when we last tested it)
will perform its access checks before unescaping the %2F, and then provide
the script with PATH_INFO="/../../../etc/passwd".
The core Apache server protects against this for its own files, but CGI
authors are, ummm, security-challenged. Some happily take the PATH_INFO
and open it relative to whatever their script's root document may be.
dir/../../../etc/passwd
So, Apache does not allow %2F to be in PATH_INFO, which is a legitimate
thing to do given that the server controls the path namespace.
Now, I know that this causes problems with some scripts that depend on
receiving encoded paths (as does a recent version of dienst, for
example). There are three solutions for such systems:
1) Don't use path info to pass arguments containing embedded "/"
2) Modify Apache so that it passes-on the %2F, which technically
violates the CGI spec and requires the script to be apache-dependent.
3) Modify Apache so that it doesn't reject %2F, which may make your
server a security problem. In that case, I'd recommend continuing
to reject any occurrence of "..%2F", since that is the main culprit.
=========================================================================
We do intend to fix it using some other method, like replacing %2F with /
before doing any path checks. However, replacing one security plug with
another is not an easy decision since it requires that someone trace how
the path is being processed throughout Apache, and we simply have had
too many other things to do.
Release-Changed-From-To: 1.2b?-1.2
Release-Changed-By: fielding
Release-Changed-When: Fri Sep 19 09:34:26 PDT 1997