You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Kevin Geddie <kl...@magma.ca> on 1997/11/12 23:22:55 UTC
general/1406: Security error in non-parsed header (nph-*) scripts - QUERY_STRING environment variable
>Number: 1406
>Category: general
>Synopsis: Security error in non-parsed header (nph-*) scripts - QUERY_STRING environment variable
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Wed Nov 12 14:30:00 PST 1997
>Last-Modified:
>Originator: klgeddie@magma.ca
>Organization:
apache
>Release: 1.1.1 - 1.2.4
>Environment:
BSDi versions 2.1 and 3.0
BSD/OS media.magma.ca 2.1 BSDI BSD/OS 2.1 Kernel #6: Tue Mar 25 20:01:02 EST 1997 klgeddie@media.magma.ca:/usr/src/sys/compile/LOCAL i386
BSD/OS media2.magma.ca 3.0 BSDI BSD/OS 3.0 Kernel #10: Fri Apr 25 12:32:45 EDT 1997 klgeddie@media2.magma.ca:/usr/src/sys/compile/LOCAL i386
>Description:
The problem is that the QUERY_STRING environment variable is NOT being set
correctly for non-parsed header scripts. Apparently, the QUERY_STRING is
considered to be a filename, and is expanded according to UNIX rules,
including wildcards.
Here's a simple non-parsed-header script (call if nph-test-cgi):
--------------------------------- cut here ------------------------------------
#!/bin/sh
echo HTTP/1.0 200 OK
echo Content-type: text/plain
echo Server: $SERVER_SOFTWARE
echo
echo CGI/1.0 test script report:
echo
echo argc is $#. argv is "$*".
echo
echo QUERY_STRING = $QUERY_STRING
--------------------------------- cut here ------------------------------------
Assume your web server's domain name is "web.server.com".
Go to the following URL: http://web.server.com/cgi-bin/nph-test-cgi?*
The output from the CGI will not be quite what you would expect.
You would expect that QUERY_STRING environment variable would equal "*",
but instead it contains a listing of ALL of the files in the "cgi-bin"
directory. It also allows relative paths, so that the URL
http://web.server.com/cgi-bin/nph-test-cgi?../*
will give you a listing of all of the files/directories in the "cgi-bin"
directory's parent directory.
By the way, the above script behaves properly if the script is NOT a
non-parsed-header script. That is, the QUERY_STRING environment variable
is equal to "*".
>How-To-Repeat:
See full description.
>Fix:
Attempt to set the QUERY_STRING environment variable in the same way (perhaps
using the same code), whether the script is a non-parsed-header script or not
>Audit-Trail:
>Unformatted: