You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/25 11:59:30 UTC
DO NOT REPLY [Bug 21879] New: -
Global CGI RW
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21879>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21879
Global CGI RW
Summary: Global CGI RW
Product: Apache httpd-2.0
Version: 2.0.47
Platform: All
OS/Version: All
Status: NEW
Severity: Major
Priority: Other
Component: mod_cgi
AssignedTo: bugs@httpd.apache.org
ReportedBy: webmaster@fnx.free-bsd.org
Currently, a bug exists whereby at the minimum an attacker can read the contents
of every file that Apache has access to. Potentially the attacker can also write
to every file that Apache has access to. This bug involves CGI changing
directories and then listing directory contents or file contents.
Since CGI is executed either as the HTTPd user itself, or another global user,
file system permissions can stop that user writing to disk. However, this
doesn't help most win32 Operating Systems.
As an effort to aid a possible solution, the only way I can see is to execute
CGI as each specific user. For example, if the HTTP_USER is blank, then CGI
should only be allowed "anonymous" access rights, and therefore access rights
can be setup on a per-user basis.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org