Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 30CFC105B1 for ; Fri, 20 Sep 2013 20:33:34 +0000 (UTC) Received: (qmail 67331 invoked by uid 500); 20 Sep 2013 20:33:31 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 67279 invoked by uid 500); 20 Sep 2013 20:33:31 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 67271 invoked by uid 99); 20 Sep 2013 20:33:31 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Sep 2013 20:33:31 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of trawick@gmail.com designates 209.85.217.176 as permitted sender) Received: from [209.85.217.176] (HELO mail-lb0-f176.google.com) (209.85.217.176) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Sep 2013 20:33:26 +0000 Received: by mail-lb0-f176.google.com with SMTP id y6so951460lbh.21 for ; Fri, 20 Sep 2013 13:33:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=8/LnIKrG7+5H2jDysIAa3cUFLdwTdIiNuqAutHRYYfg=; b=jIsG3RMjcJIrtZXmsd2jYHpaUlv/JgWRe06cNsrlPR9THq2c8PcW+ohPEAN2eLpwmG on7kAqREzqEzwPbQIBGujBKFu4vkSq1Vy1+pbMIy4vzk0XYD765a0o4IVmg1UZgqW1Rk QUvmXXg6cruHipr2ekNxAdOxwvI0tSqClqddM2NaZGBPNqXM+M2ygYlaWF855TXcIKU3 u9p3cmg7dfwl0E80z4F7qEDe35BeoAZcjPbQI7x9DLGYMKBMC61B6oHBMVZBEkz7OsEm Ht+GZ0SmSCHD/9B2oj0kbY3FeUeamUPodw0N8WVmwKUX9ZVY+0BySkYHUncGt94xUjHp S54Q== MIME-Version: 1.0 X-Received: by 10.152.116.109 with SMTP id jv13mr3696302lab.30.1379709185494; Fri, 20 Sep 2013 13:33:05 -0700 (PDT) Received: by 10.114.187.71 with HTTP; Fri, 20 Sep 2013 13:33:05 -0700 (PDT) In-Reply-To: <7D9F127E-5D38-4190-80A7-58BFDC55E051@uvm.edu> References: <7D9F127E-5D38-4190-80A7-58BFDC55E051@uvm.edu> Date: Fri, 20 Sep 2013 16:33:05 -0400 Message-ID: Subject: Re: [PATCH 49220] mod_fcgid - restrict arbitrary command execution from .htaccess files From: Jeff Trawick To: Apache HTTP Server Development List Content-Type: multipart/alternative; boundary=001a11c3675ee5161a04e6d693ba X-Virus-Checked: Checked by ClamAV on apache.org --001a11c3675ee5161a04e6d693ba Content-Type: text/plain; charset=ISO-8859-1 On Fri, Sep 20, 2013 at 4:31 PM, Benjamin Coddington wrote: > Hello everyone, > > We're looking at moving our shared hosting execution behind mod_fcgid and > suexec, but we need to continue to allow our users .htaccess 'Files' > overrides. The current mod_fcgid allows users to execute arbitrary > commands by configuring the FcgidAccessChecker, FcgidAuthenticator, > FcgidAuthorizer, and FcgidWrapper directives within .htaccess files. > > - https://issues.apache.org/bugzilla/show_bug.cgi?id=49220 > > I've approached a fix by creating a directive that would disable the > application of those directives within .htaccess files if set; that patch > has been submitted to the httpd bug 49220. > > You might shrewdly wonder "how can this matter - this is cgi after all, > we're just going to try to exec the resulting file!", but we're able to get > away from that by disabling ExecCGI globally and setting it per-request in > separate module which also ensures the request is mapped to our specific > FcgidWrapper. > > I see mod_fcgid 2.3.8 is closing in a few days; any chance to sneak this > in? Thanks for your time and consideration. > > Ben Unless someone else speaks up, I'll spend some time on it. -- Born in Roswell... married an alien... http://emptyhammock.com/ --001a11c3675ee5161a04e6d693ba Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Fri, Sep 20, 2013 at 4:31 PM, Benjamin Coddington <bcod= ding@uvm.edu> wrote:
Hello everyone,

We're looking at moving our shared hosting execution behind mod_fcgid a= nd suexec, but we need to continue to allow our users .htaccess 'Files&= #39; overrides. =A0The current mod_fcgid allows users to execute arbitrary = commands by configuring the FcgidAccessChecker, FcgidAuthenticator, FcgidAu= thorizer, and FcgidWrapper directives within .htaccess files.

=A0- https://issues.apache.org/bugzilla/show_bug.cgi?id=3D492= 20

I've approached a fix by creating a directive that would disable the ap= plication of those directives within .htaccess files if set; that patch has= been submitted to the httpd bug 49220.

You might shrewdly wonder "how can this matter - this is cgi after all= , we're just going to try to exec the resulting file!", but we'= ;re able to get away from that by disabling ExecCGI globally and setting it= per-request in separate module which also ensures the request is mapped to= our specific FcgidWrapper.

I see mod_fcgid 2.3.8 is closing in a few days; any chance to sneak this in= ? =A0Thanks for your time and consideration.

Ben

Unless someone else speaks up, I'll spend som= e time on it.


--
Born in Roswell...= married an alien...
http://emptyhammock.com/
--001a11c3675ee5161a04e6d693ba--