You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Paul Robertson <pr...@clark.net> on 1997/07/21 20:50:01 UTC

other/893: Authentication for CGIs not always working

>Number:         893
>Category:       other
>Synopsis:       Authentication for CGIs not always working
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jul 21 11:50:01 1997
>Originator:     proberts@clark.net
>Organization:
apache
>Release:        1.1.3
>Environment:
RH Linux 4.1, gcc 2.7.2.1.  
>Description:
As in problem 737, I am seeing authentication failures for CGI scripts, 
requests are proxied, and failure is common, but not 100% repeatable.

smtpgate.gannett.com - - [21/Jul/1997:13:44:13 -0400] "POST /cgi/gancar.cgi HTTP
/1.0" 401 -
smtpgate.gannett.com - - [21/Jul/1997:13:44:29 -0400] "POST /cgi/gancar.cgi HTTP
/1.0" 401 -
smtpgate.gannett.com - gancar [21/Jul/1997:13:44:29 -0400] "POST /cgi/gancar.cgi
 HTTP/1.0" 200 183

The successful request was the result of a relaod, 
ScriptAlias /cgi/ /home/httpd/html/GC/cgi-bin/
is in srm.conf

Scripts live in /home/httpd/html/GC/cgi-bin  .htaccess was in GC, and now is in
all directories.  Access.conf contains:
AllowOverried Authconfig for /home/httpd/html

along with:

<Directory /home/httpd/html/GC/cgi-bin>
AllowOverride All
Options All
</Directory>

CGI in question is doing HTTP file upload, browser Netcape 3.01, error message
box says "A network error occured while Netscape was sending data.  (Network Error: Connection aborted)  Try connecting again."

 
>How-To-Repeat:
It would seem that queries coming through a proxy are more likely to trigger 
the event.  I am unable to provide a URL, but would be happy to provide the
CGI scripts and libraries.  It also seems that only POSTs to 
enctype=multipart/form-data (HTTP file upload) trigger this.
>Fix:
Not at this tim
>Audit-Trail:
>Unformatted:

Re: other/893: Authentication for CGIs not always working

Posted by "Paul D. Robertson" <pr...@clark.net>.

On Mon, 21 Jul 1997, Dean Gaudet wrote:

> You say the requests are going through a proxy.  Please provide more
> details, such as how the proxy is configured, and what proxy it is.  Are
> you sure it's not the proxy that's messing things up?  Have you tried
> doing a tcpdump and analysing the transaction between the proxy and the
> server?

I've tried it with both http-gw, and the Apache server configured in 
proxy mode.  Both fail, and again not for every single transaction, but 
reliably.

> If you want to try the latter then run something like this on the server
> (or the proxy):
> 
>     tcpdump -s 1576 -w dump.out tcp port 80 and host <proxy-ip> and host <server-ip>

Since the request shows up in the log file with the 401, and since I've tried
multiple proxies, I didn't consider it to be a proxy problem.  Sometimes 
it works from the outset, in which case it will continue to work until 
one failure happens, then it will continue to fail.  Neither proxy is set 
to cache documents at the moment.  Also, authorization works fine for 
non-HTTP-Upload URLs.  

> 
> Or modify as appropriate for whatever your config is. 
> 
> Then reproduce the problem, and mail us the dump.out file (uuencoded or MIMEd)
> assuming it's not too large.  Preferably the dump file will contain exactly
> the minimal set of queries needed to show the problem.  Note that the dump
> file will contain your unencrypted passwords so use a test account or
> something.

I'll run the tcpdump stuff Wed., when I return to the office.

> 
> Dean
> 

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Re: other/893: Authentication for CGIs not always working

Posted by Dean Gaudet <dg...@arctic.org>.

You say the requests are going through a proxy.  Please provide more
details, such as how the proxy is configured, and what proxy it is.  Are
you sure it's not the proxy that's messing things up?  Have you tried
doing a tcpdump and analysing the transaction between the proxy and the
server?

If you want to try the latter then run something like this on the server
(or the proxy):

    tcpdump -s 1576 -w dump.out tcp port 80 and host <proxy-ip> and host <server-ip>

Or modify as appropriate for whatever your config is.

Then reproduce the problem, and mail us the dump.out file (uuencoded or MIMEd)
assuming it's not too large.  Preferably the dump file will contain exactly
the minimal set of queries needed to show the problem.  Note that the dump
file will contain your unencrypted passwords so use a test account or
something.

Dean