You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@wired.com> on 1995/03/28 21:10:15 UTC
D'oh! Another security hole fix
I'll do this as an official patch against 0.3 in just a little bit. In
fact I don't even know if 0.3 has this, but NCSA 1.3R does, so I thought
I'd send this out sooner rather than later. Fortunately I couldn't find
any evidence anyone's used it against hotwired before I patched it just
now.
Brian
---------- Forwarded message ----------
Date: Sat, 25 Mar 1995 10:37:35 +0000 (GMT)
From: Mark J Cox <M....@bradford.ac.uk>
To: Brian Behlendorf <br...@wired.com>
Subject: Re: *** IMPORTANT README *** (fwd)
This should stop those nosey people :)
Mark J Cox ---------------------- URL:http://www.eia.brad.ac.uk/mark.html
University of Bradford, UK --------------- tel +44.1274.384070/fax 391333
---------- Forwarded message ----------
Date: Wed, 25 Jan 1995 12:02:52 +0000 (GMT)
From: Mark J Cox <M....@bradford.ac.uk>
To: "Carlos A. Varela" <cv...@ncsa.uiuc.edu>
Cc: Mark J Cox <M....@bradford.ac.uk>
Subject: Re: *** IMPORTANT README ***
> I'm taking a look at your patches. Please let me know the security
> breach (and fix) you've found. Thanks for your interest in httpd,
I was rather hoping no one was working on httpd - then I wouldn't keep
having to add my patches to all the new versions :-)
I think the DBM extension to the Basic access method is essential - let
me know if you want the patch (its actually not that big, the documentation
takes up more lines!). We have had it in-place and running with >800 users
for a few months now.
Enclosed the security patch and description.
Mark
Mark J Cox ---------------------- URL:http://www.eia.brad.ac.uk/mark.html
University of Bradford, UK --------------- tel +44.1274.384070/fax 391333
*** ../src-12/http_get.c Mon Apr 11 07:10:18 1994
--- http_get.c Tue Jan 3 09:17:03 1995
***************
*** 125,130 ****
--- 134,161 ----
die(FORBIDDEN,file,fd);
}
}
+
+ /* Bug fix: m.j.cox@bradford.ac.uk, 20 December 1994
+ * Description:
+ * If you have turned on CGI scripts in arbitary directories
+ * (say using the .cgi extension) and you also allow "Options All" then:
+ * GET /something.cgi Runs the script (okay)
+ * GET /something.cgi/fish Runs the script, params /fish (okay)
+ * GET /something.cgi/ Returns the binary/source of the script (oops)
+ * Anyone could get a look at your source (since many scripts are
+ * written in Perl) or grab strings out of a C binary. It may
+ * give a hacker an idea of your script's weaknesses or steal your ideas!
+ * Why: Unix stat say's /s.cgi/ is a file but /s.cgi/x isn't
+ * Solution: trap this single case.
+ */
+
+ if (file[strlen(file)-1]=='/') {
+ char t[MAX_STRING_LEN];
+
+ strcpy(t,file);
+ t[strlen(t)-1]=0;
+ probe_content_type(t);
+ if (!strcmp(content_type,CGI_MAGIC_TYPE)) {
+ send_cgi("GET",t,"",args,&finfo,in,fd);
+ return;
+ }
+ }
+
probe_content_type(file);
if(S_ISREG(finfo.st_mode) && (!strcmp(content_type,CGI_MAGIC_TYPE))) {
send_cgi("GET",file,"",args,&finfo,in,fd);