You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Robert Frank <ro...@unibas.ch> on 2006/08/30 09:47:56 UTC

[users@httpd] CGI runs wrong program - security issue

Hi,

I've stumbled accross a peculiar problem with httpd apache 2.0.47 on  
solaris 9 at my other working place:

the configuration includes a cgi-alias and an appropriate directory  
directive to execute cgi programs (perl scripts in our case, but  
that's irrelevant).

All is well if the name of the file to execute does not exist on any  
other PATH defined by the server on startup. If the file to execute  
exists on one of the paths in the PATH environment, THAT will be run  
instead of the one in the cgi-bin directory. By using truss, we've  
taced the exact processing of data:

apache recieves the request, searches for the file in the given cgi  
directory, if found, it changes to the cgi-bin directory.
Then it calls execve with JUST the name of the file to execute.  
Solaris execve, however, starts checking the PATH variable for the  
executable. If it finds anything with the same name in  one of the  
paths, THAT is executed, regardles of the fact that the httpd had  
changed to the cgi-bin directory. This is because the PATH does not  
include '.' as the first element.

The fix would be very simple: call execve with the full path and name.

I consider this a security bug, as we definitively want to execute  
just that file, not anyhting else.

Unfortunately, I'm not able to install the latest version of apache,  
as I don't have any solaris box around here and I'm not allowed to  
install anything at the other working place.
Has anyone had the same problem?

Robert


Departement Informatik   FGB   tel   +41 (0)61 267 14 66
Universität Basel                          fax. +41 (0)61 267 14 61
Robert Frank
Klingelbergstrasse 50                 Robert.Frank@unibas.ch
CH-4056 Basel
Switzerland                                   http:// 
www.informatik.unibas.ch/personen/frank_r.html




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org