You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Mark Bentley <be...@cs.umn.edu> on 1997/03/27 16:10:02 UTC

suexec/269: Server-side include exec cmd with suEXEC bug

	The contract type is `' with a response time of 3 business hours.
	A first analysis should be sent before: Thu Mar 27 11:00:02 PST 1997


>Number:         269
>Category:       suexec
>Synopsis:       Server-side include exec cmd with suEXEC bug
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Mar 27 07:10:02 1997
>Originator:     bentlema@cs.umn.edu
>Organization:
apache
>Release:        1.2b7
>Environment:

>Description:
An SSI such as:

 <!--#exec cmd="bin/myscript" -->

which is relative to UserDir, doesn't work because of these lines in suEXEC:

    /*
     * Check for a '/' in the command to be executed,
     * to protect against attacks.  If a '/' is
     * found, error out.  Naughty naughty crackers.
     */
    if ((strchr(cmd, '/')) != NULL ) {
        log_err("invalid command (%s)\n", cmd);
        exit(104);
    }

 
>How-To-Repeat:

>Fix:

>Audit-Trail:
>Unformatted: