You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Daniel Rock <ro...@cs.uni-sb.de> on 1998/08/15 03:19:21 UTC

general/2860: .htaccess can be bypassed with cgi scripts which use PATH_TRANSLATED info (Re: PR1418)

>Number:         2860
>Category:       general
>Synopsis:       .htaccess can be bypassed with cgi scripts which use PATH_TRANSLATED info (Re: PR1418)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Fri Aug 14 18:20:02 PDT 1998
>Last-Modified:
>Originator:     rock@cs.uni-sb.de
>Organization:
apache
>Release:        any
>Environment:
any
>Description:
I have MSQL installed on our machine. With MSQL I also have installed
w3-msql in the global /cgi-bin/ directory. MSQL Lite scripts can so embedded
in normal html-code and then be parsed with
http://server/cgi-bin/w3-msql/scripts/sql.html
Some of these scripts should be protected for nonauthorized persons and
should be kept in directories protected with .htaccess.

But with this limitation I can browse the complete WWW space, including
password protected regions. Installing the program only in a protected
cgi-bin doesn't help. Now I can browse the WWW space with only one password,
instead of the many different passwords in several subdirectories.

Since w3-msql cannot parse .htaccess files (and shouldn't, because it could
be run on other WWW servers with a different security model) the only solution
is, that the web server itself does the authorization.
>How-To-Repeat:
test.cgi:
#!/bin/sh
echo "Content-Type: text/plain"
echo
cat "$PATH_TRANSLATED"

http://www.server/cgi-bin/test.cgi/securedir/securefile.txt
>Fix:
The .htaccess file of the destination of PATH_TRANSLATED should also be checked.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]