You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@wired.com> on 1995/03/28 21:10:15 UTC

D'oh! Another security hole fix

I'll do this as an official patch against 0.3 in just a little bit.  In 
fact I don't even know if 0.3 has this, but NCSA 1.3R does, so I thought 
I'd send this out sooner rather than later.  Fortunately I couldn't find 
any evidence anyone's used it against hotwired before I patched it just 
now.

	Brian

---------- Forwarded message ----------
Date: Sat, 25 Mar 1995 10:37:35 +0000 (GMT)
From: Mark J Cox <M....@bradford.ac.uk>
To: Brian Behlendorf <br...@wired.com>
Subject: Re: *** IMPORTANT README *** (fwd)

This should stop those nosey people :)

Mark J Cox ---------------------- URL:http://www.eia.brad.ac.uk/mark.html
University of Bradford, UK --------------- tel +44.1274.384070/fax 391333


---------- Forwarded message ----------
Date: Wed, 25 Jan 1995 12:02:52 +0000 (GMT)
From: Mark J Cox <M....@bradford.ac.uk>
To: "Carlos A. Varela" <cv...@ncsa.uiuc.edu>
Cc: Mark J Cox <M....@bradford.ac.uk>
Subject: Re: *** IMPORTANT README ***

> I'm taking a look at your patches.  Please let me know the security 
> breach (and fix) you've found.  Thanks for your interest in httpd,

I was rather hoping no one was working on httpd - then I wouldn't keep
having to add my patches to all the new versions :-)

I think the DBM extension to the Basic access method is essential - let
me know if you want the patch (its actually not that big, the documentation
takes up more lines!).  We have had it in-place and running with >800 users
for a few months now.

Enclosed the security patch and description.

Mark
Mark J Cox ---------------------- URL:http://www.eia.brad.ac.uk/mark.html
University of Bradford, UK --------------- tel +44.1274.384070/fax 391333

*** ../src-12/http_get.c        Mon Apr 11 07:10:18 1994
--- http_get.c  Tue Jan  3 09:17:03 1995
***************
*** 125,130 ****
--- 134,161 ----
              die(FORBIDDEN,file,fd);
          }
      }
+ 
+ /* Bug fix: m.j.cox@bradford.ac.uk, 20 December 1994
+  * Description:
+  *  If you have turned on CGI scripts in arbitary directories
+  *  (say using the .cgi extension) and you also allow "Options All" then:
+  *   GET /something.cgi      Runs the script (okay)
+  *   GET /something.cgi/fish Runs the script, params /fish (okay)
+  *   GET /something.cgi/     Returns the binary/source of the script (oops)
+  *  Anyone could get a look at your source (since many scripts are
+  *  written in Perl) or grab strings out of a C binary.  It may 
+  *  give a hacker an idea of your script's weaknesses or steal your ideas!
+  * Why: Unix stat say's /s.cgi/ is a file but /s.cgi/x isn't
+  * Solution: trap this single case.
+  */
+ 
+     if (file[strlen(file)-1]=='/') {
+       char t[MAX_STRING_LEN];
+ 
+       strcpy(t,file);
+       t[strlen(t)-1]=0;
+       probe_content_type(t);
+       if (!strcmp(content_type,CGI_MAGIC_TYPE)) {
+               send_cgi("GET",t,"",args,&finfo,in,fd);
+               return;
+       }
+     }
+ 
      probe_content_type(file);
      if(S_ISREG(finfo.st_mode) && (!strcmp(content_type,CGI_MAGIC_TYPE))) {
          send_cgi("GET",file,"",args,&finfo,in,fd);