You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by "Alexey V.Meledin" <sy...@pia.ru> on 1999/06/07 17:39:24 UTC

config/4540: Apache executes CGI scripts even without Options Exec CGI, AddHandler cgi-script .cgi and so on(configuration is below)

>Number:         4540
>Category:       config
>Synopsis:       Apache executes CGI scripts even without Options Exec CGI, AddHandler cgi-script .cgi and so on(configuration is below)
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jun  7 08:40:00 PDT 1999
>Last-Modified:
>Originator:     sysadmin@pia.ru
>Organization:
apache
>Release:        apache_1.3.6rusPL28.15
>Environment:
FreeBSD 3.1 Release
Pentium 133, 64Mb, 4Gb
Apache was compileed with php 3.0.8 and fastcgi module:
Compiled-in modules:
  http_core.c
  mod_charset.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_access.c
  mod_auth.c
  mod_usertrack.c
  mod_setenvif.c
  mod_fastcgi.c
  mod_php3.c


>Description:
I've tried to configure apache to start in /cgi-bin only files with *.cgi and deny execution of others...
After that I'found that CGI scripts, are executed without any options and handlers.... This is bug and security hole, I thing.

These is my configuration file:
### Section 1: Global Environment
ServerType standalone
ServerRoot "/usr/local/apache"
LockFile /var/log/apache/httpd.lock
PidFile /var/run/httpd.pid
ScoreBoardFile /var/log/apache/httpd.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 30
ExtendedStatus On

### Section 2: 'Main' server configuration

Port 80
User apache
Group apache
ServerAdmin webmaster@pia.ru
ServerName new.pia.ru
DocumentRoot "/usr/local/apache/share/htdocs"

<Directory />
    Options None
    AllowOverride None
</Directory>

<Directory "/usr/local/apache/share/htdocs">
AllowOverride None
Order allow,deny
Allow from all
</Directory>

DirectoryIndex index.shtml index.html
AccessFileName .htaccess
#To prevent it from others
<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>

UseCanonicalName on

DefaultType text/plain

HostnameLookups Off

ErrorLog /var/log/apache/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /var/log/apache/access_log combined
ServerSignature Email

ScriptAlias /cgi-bin/ "/usr/local/apache/share/cgi-bin/"
<Directory "/usr/local/apache/share/cgi-bin">
     AllowOverride None
     Order allow,deny
     Allow from all
</Directory>

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
==========================================================================
What else....
Then I've found that there is such situation and with
ScriptAlias /fcgi-bin "/usr/local/apache/share/fcgi-bin"
<Directory /usr/local/apache/share/fcgi-bin>
     AllowOverride None
     Order allow,deny
     Allow from all
</Directory>

Whithout any OPTIONS apache starts fastcgi application as CGI script...
PS: FastCGI can be run as CGI

>How-To-Repeat:
I've thing you'll found this problem in apache 1.3.6 with configuration the same as above
>Fix:
Posibly this is a ScriptAlias and mod_cgi bug, but I'm not shure.
I've spend 5 hour trying to found a error in my configuration, but I've found nothing....

In 
directory /cgi-bin
I've tried to use 
Options None
Options -ExecCGI

But there gives nothing!
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]