httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux
Date Thu, 02 Nov 1995 22:33:48 GMT
On Thu, 2 Nov 1995, Andrew Wilson wrote:
> > >URL exhibiting problem: http://www.apache.org//cgi-bin/access_count
> 
> Mmm, well this seems to work, ie you get binary.  I can't find any other
> scripts that do the same thing though.  eg:
> 
> 	http://www.apache.org//cgi-bin/test-cgi
> 
> doesn't misbehave in any way.  What's so special about access_count?

WHOA.  Hold the horses.  First:

I have 

  ScriptAlias /cgi-bin /usr/local/www.tools/cgi-bin

in the srm.conf file for hyperreal's web server, which means it applies 
to www.apache.org as well.  In that directory I have, for example, 
"printenv", so

  http://www.apacge.org/cgi-bin/printenv

works as expected.

Second:  There is a /cgi-bin directory off the docroot for 
www.apache.org, with Randy's name on it.  it's used in a couple pages 
being inlined like so:

  <!--#exec cmd="/export/pub/apache/cgi-bin/access_count"-->

What's the result of having a cgi-bin directory off the docroot, even 
though "cgi-bin" is a scriptalias somewhere else?  The answer is that 
while URL's like 

  http://www.apache.org/cgi-bin/blah 

look for 

  /usr/local/www.tools/cgi-bin/blah 

the URL 

  http://www.apache.org//cgi-bin/blah

looks for the *file*

  /export/pub/apache/cgi-bin/access_count

Nothing says that file should be executed.  I believe the original bug 
poster may have been confused as to the purpose of the cgi-bin directory, 
as indeed I would be, which he possibly saw by looking at 
ftp://hyperreal.com/apache/.




Conclusion: the only "bug" is that Scriptalias doesn't match *pattern*, 
just pattern*.

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/


Mime
View raw message