You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/25 11:59:30 UTC

DO NOT REPLY [Bug 21879] New: - Global CGI RW

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21879>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21879

Global CGI RW

           Summary: Global CGI RW
           Product: Apache httpd-2.0
           Version: 2.0.47
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_cgi
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: webmaster@fnx.free-bsd.org


Currently, a bug exists whereby at the minimum an attacker can read the contents 
of every file that Apache has access to. Potentially the attacker can also write 
to every file that Apache has access to. This bug involves CGI changing 
directories and then listing directory contents or file contents.
Since CGI is executed either as the HTTPd user itself, or another global user, 
file system permissions can stop that user writing to disk. However, this 
doesn't help most win32 Operating Systems.
As an effort to aid a possible solution, the only way I can see is to execute 
CGI as each specific user. For example, if the HTTP_USER is blank, then CGI 
should only be allowed "anonymous" access rights, and therefore access rights 
can be setup on a per-user basis.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org