You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Robert Frank <ro...@unibas.ch> on 2006/08/30 09:47:56 UTC
[users@httpd] CGI runs wrong program - security issue
Hi,
I've stumbled accross a peculiar problem with httpd apache 2.0.47 on
solaris 9 at my other working place:
the configuration includes a cgi-alias and an appropriate directory
directive to execute cgi programs (perl scripts in our case, but
that's irrelevant).
All is well if the name of the file to execute does not exist on any
other PATH defined by the server on startup. If the file to execute
exists on one of the paths in the PATH environment, THAT will be run
instead of the one in the cgi-bin directory. By using truss, we've
taced the exact processing of data:
apache recieves the request, searches for the file in the given cgi
directory, if found, it changes to the cgi-bin directory.
Then it calls execve with JUST the name of the file to execute.
Solaris execve, however, starts checking the PATH variable for the
executable. If it finds anything with the same name in one of the
paths, THAT is executed, regardles of the fact that the httpd had
changed to the cgi-bin directory. This is because the PATH does not
include '.' as the first element.
The fix would be very simple: call execve with the full path and name.
I consider this a security bug, as we definitively want to execute
just that file, not anyhting else.
Unfortunately, I'm not able to install the latest version of apache,
as I don't have any solaris box around here and I'm not allowed to
install anything at the other working place.
Has anyone had the same problem?
Robert
Departement Informatik FGB tel +41 (0)61 267 14 66
Universität Basel fax. +41 (0)61 267 14 61
Robert Frank
Klingelbergstrasse 50 Robert.Frank@unibas.ch
CH-4056 Basel
Switzerland http://
www.informatik.unibas.ch/personen/frank_r.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org