You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Daniel OBrien <ap...@expo.net> on 1997/08/07 05:50:02 UTC

mod_cgi/973: Invalid request methods are processed by CGI module as GET

>Number:         973
>Category:       mod_cgi
>Synopsis:       Invalid request methods are processed by CGI module as GET
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Aug  6 20:50:01 1997
>Originator:     apache@expo.net
>Organization:
apache
>Release:        1.2.1
>Environment:
FreeBSD 2.1.X (all levels including 0, 5, 7)
built with gcc
>Description:
A user can use an invalid request method for a cgi script like

  BLAH /index.cgi HTTP/1.0

and it is processed by apache as if it were a GET.  These should return
the appropriate Accept headers and log an error to the error log
about "Invalid method in request" but do not.  This request currently runs
the cgi and returns the output of the index.cgi script.  

  A related problem, that made us first notice this, is that cgi scripts
in directories protected with .htaccess that have 

<Limit GET POST>
require valid-user
</Limit>

  are still runable without authenticating the user if the request method
is a non-supported one (such as BLAH above).  Trying to retrieve regular
files with the invalid request method results in attempts to authenticate
(which is the correct behaviour).
>How-To-Repeat:
Yes.  In the first case, just a 

telnet server 80
BLAH /index.cgi HTTP/1.0

works fine when it should not.
For the second part, just setup a directory which controls access through

<Limit GET POST>
require valid-user
</Limit>

Put a CGI script and a regular html file there.  Setup so that authentication
is required to get either file and then use

telnet server 80
BLAH /index.cgi HTTP/1.0

and you should be able to cause the script to be executed and return
the output.  

telnet server 80
BLAH /index.html HTTP/1.0

will give the appropriate invalid request method error and accept header.
>Fix:
This may be a problem with other types of files, but, at least for CGI
scripts, modified the cgi_handler routine to check to see that the request
is valid will properly handle the first situation.  I'm not sure about the
second situation.
%0
>Audit-Trail:
>Unformatted: