httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Pitt <jnp...@uw.edu>
Subject Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success
Date Wed, 15 Aug 2018 02:51:15 GMT
*Thanks Eric-*

*This is the relevant area of the apache2.conf file:*
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and
/var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

<Directory /usr/lib/cgi-bin>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

#i know /cgi-bin doesn't exist but I'm pounding my head against a wall here
<Directory /cgi-bin>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>


#<Directory /srv/>
#    Options Indexes FollowSymLinks
#    AllowOverride None
#    Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess


*and my .htaccess files which are located in /usr/lib/cgi-bin and in
/var/www/html/wormbot*
AuthUserFile /home/jpitt/wormbot/passwords
AuthName "Please enter your password"
AuthType Basic
Require valid-user
Satisfy All




*Here's from the access.log:*
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET
/wormbot/img/icon_delete.png HTTP/1.1" 401 736 "
http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET
/wormbot/img/icon_download.png HTTP/1.1" 401 736 "
http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404
500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101
Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404
500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101
Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET /cgi-bin/experimentbrowser
HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0)
Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET
/wormbot/img/icon_delete.png HTTP/1.1" 401 735 "
http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET
/wormbot/img/icon_download.png HTTP/1.1" 401 735 "
http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1" 404
501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101
Firefox/61.0"

*You can see the icon images are being blocked (401 code)*

*error.log is clean*

*I've also attached a screenshot of what this looks like...I've gotten the
same result when I use the apache2.config to set the authorization for the
cgi-bin rather than use a .htaccess file*

On Tue, Aug 14, 2018 at 6:37 PM, Eric Covener <covener@gmail.com> wrote:

> On Tue, Aug 14, 2018 at 9:33 PM Jason Pitt <jnpitt@uw.edu> wrote:
> >
> > Hello-
> >
> > I'm having an issue with trying to configure apache that I'm hoping
> someone can help me address.  I have several scripts located in the cgi-bin
> that I want to control access to.   I'm able to either put an .htaccess
> file in the cgi-bin or modify the apache2.conf file to prompt for a
> username and password when the url to the cgi script is entered into a
> browser, however...the script executes and sends content to the browser
> window before the user enters anything into the authorization
> dialog...furthermore the user can just cancel the authorization dialog and
> can then interact with the cgi generated content...the only thing getting
> blocked by apache is access to actual files on the webserver.  How do I
> prevent this behavior?
> >
> It sounds like you may not be protecting the right
> URL/files/directories. What's the relevant config and URL being
> accessed? What does the access log say?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
/*
Jason Pitt PhD                                   206.616.1193
Kaeberlein Lab                                   jnpitt@uw.edu
University of Washington
Department of Pathology
Health Sciences Building                    Box 357470
1989 NE Pacific Street
Seattle, WA 98195
*/

Mime
View raw message