From users-return-117723-archive-asf-public=cust-asf.ponee.io@httpd.apache.org Wed Aug 15 23:53:19 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id A485F180626 for ; Wed, 15 Aug 2018 23:53:18 +0200 (CEST) Received: (qmail 349 invoked by uid 500); 15 Aug 2018 21:53:17 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 339 invoked by uid 99); 15 Aug 2018 21:53:17 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Aug 2018 21:53:17 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id C5DDEC1A71 for ; Wed, 15 Aug 2018 21:53:16 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.701 X-Spam-Level: * X-Spam-Status: No, score=1.701 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, IP_LINK_PLUS=0.001, KAM_BADIPHTTP=2, KAM_SHORT=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id QsWQV5BsFm4Q for ; Wed, 15 Aug 2018 21:53:15 +0000 (UTC) Received: from mxout21.s.uw.edu (mxout21.s.uw.edu [140.142.32.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id BB6225F396 for ; Wed, 15 Aug 2018 21:53:14 +0000 (UTC) Received: from mail-oi0-f71.google.com (mail-oi0-f71.google.com [209.85.218.71]) by mxout21.s.uw.edu (8.14.4+UW14.03/8.14.4+UW16.03) with ESMTP id w7FLoJFT007603 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=OK) for ; Wed, 15 Aug 2018 14:50:19 -0700 Received: by mail-oi0-f71.google.com with SMTP id q11-v6so2328524oih.15 for ; Wed, 15 Aug 2018 14:50:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=XOIU6E5QHRf0TpjJ9O/Rb4sLvsBwddXCIMhGpRDD5CU=; b=Kmczjch5vDqhPTlwHWWfvQoUB7ulGyI1lclCvgdf0750AcdrUpXbQA2Vi7LirL139j 5cRnQbyZYNiKUfGw9srFZbzzvjIoy6yEvpPTCEbRNhNnC2ygO/YsCJM0kcGTMxas9oIt nyvcmi4OPz/QingOmpkaxVxgnhMyoR1DLnLf9l2mAfuYMFV4d75IDuVYYLsvMeqXThyv Bshk+fGwShO9N4AaLF0EjB1cwLZyT28MnEqpFe7GNNpHWHa416Khmi4axRohnI8XlH1z M1wzkoOi/lOl0WKr7v1OjTNkcfXmKbEs9o1vMcBi6jjgtUerdre43W1RpRNNL3v4lHkW uLvA== X-Gm-Message-State: AOUpUlH8tEKIrcYCEVgOBCsuxkpvDhoEYIEL6VOWzGG4BMbfRjP3xnod ZKOyOZGnQ6ZozCZsxj7LC22Md5UZ8+sJ3z6ShyVj3aCNlRN2BWxG4ggBKUwUjn7I5y904vgAAXz XXGUpnW5owdWJ+utdmyQpHeRETjgM46TytS2ATTXv5mXwD0HU2ckCHfNpEw== X-Received: by 2002:aca:ea57:: with SMTP id i84-v6mr26612897oih.266.1534369818552; Wed, 15 Aug 2018 14:50:18 -0700 (PDT) X-Google-Smtp-Source: AA+uWPz2woyMhJVhyOIeONcrJWMApiWejXph0tnKYXwno8dQOR/Pnd+DmWTuAGHkY9kWL30s7ONkwxFqI03xslRh7BM= X-Received: by 2002:aca:ea57:: with SMTP id i84-v6mr26612875oih.266.1534369818094; Wed, 15 Aug 2018 14:50:18 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:aa0b:0:0:0:0:0 with HTTP; Wed, 15 Aug 2018 14:50:17 -0700 (PDT) In-Reply-To: References: From: Jason Pitt Date: Wed, 15 Aug 2018 14:50:17 -0700 Message-ID: To: users@httpd.apache.org Content-Type: multipart/alternative; boundary="000000000000f643810573804f91" X-PMX-Version: 6.4.5.2775670, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2018.8.15.214216, AntiVirus-Engine: 5.52.0, AntiVirus-Data: 2018.8.15.5520003 X-PMX-Server: mxout21.s.uw.edu X-Sophos-SenderHistory: ip=209.85.218.71,fs=46148,da=10896288,mc=2268,sc=0,hc=2268,sp=0,fso=10386667,re=5,sd=0,hd=30 X-Uwash-Spam: Gauge=X, Probability=10%, Report= TO_IN_SUBJECT 0.5, BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTH_SIZE_3000_MORE 0, BODY_SIZE_10000_PLUS 0, DATE_TZ_NA 0, DQ_S_H 0, FROM_EDU_TLD 0, IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0, NO_URI_HTTPS 0, REFERENCES 0, SPF_NEUTRAL 0, URI_WITH_PATH_ONLY 0, WEBMAIL_SOURCE 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __C230066_P1_5 0, __C230066_P5 0, __CANPHARM_UNSUB_LINK 0, __CP_URI_IN_BODY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __DQ_IP_FSO_LARGE 0, __DQ_IP_SUSP_3 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __DQ_S_HIST_1 0, __DQ_S_IP_100K 0, __DQ_S_IP_MC_100_P 0, __DQ_S_IP_MC_10_P 0, __DQ_S_IP_MC_1K_P 0, __DQ_S_IP_MC_5_P 0, __FORWARDED_MSG 0, __FRAUD_BODY_WEBMAIL 0, __FRAUD_WEBMAIL 0, __FUR_RDNS_GMAIL 0, __HAS_FROM 0, __HAS_HTML 0, __HAS_MSGID 0, __HELO_GMAIL 0, __HEX28_LC_BOUNDARY 0, __HIGHBITS 0, __HTML_AHREF_TAG 0, __HTML_TAG_DIV 0, __IN_REP_TO 0, __MIME_HTML 0, __MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MULTIPLE_URI_HTML 0, __MULTIPLE_URI_TEXT 0, __PHISH_SPEAR_HTTP_RECEIVED 0, __PHISH_SPEAR_STRUCTURE_1 0, __PHISH_SPEAR_SUBJ_SUBJECT 0, __RDNS_WEBMAIL 0, __REFERENCES 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __SUBJ_REPLY 0, __TO_IN_SUBJECT2 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0, __YOUTUBE_RCVD 0 Subject: Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success --000000000000f643810573804f91 Content-Type: text/plain; charset="UTF-8" Ok I have a work around but I'm really unhappy with it and I'd like it if someone can verify for me that I'm not doing something wrong before I change my whole code base to deal with the cgi scripts not being present in the apache default cgi-bin (on my system /usr/lib/cgi-bin). So when a client requests a file from the cgi-bin Apache seems to execute it before asking for Basic Authorization. However if I take the exact same apache2.config block, change the directory to something somewhere else, in this case /var/www/html, add +ExecCGI and a handler for .cgi files...Apache has the behavior I'd expect. It asks for authorization, then executes the .cgi file. Why on earth can't I just do that for the default cgi-bin??? so this works: Options Indexes FollowSymLinks ExecCGI AddHandler cgi-script .cgi AllowOverride None AuthUserFile /home/jpitt/wormbot/passwords AuthType Basic AuthName "Kaebot" Require valid-user this asks for a password but executes the script regardless of user input Options Indexes FollowSymLinks ExecCGI AddHandler cgi-script .cgi AllowOverride None AuthUserFile /home/jpitt/wormbot/passwords AuthType Basic AuthName "Kaebot" Require valid-user exact same cgi script...just placed in different locations Is this a "feature" of Apache I'm just not appreciating? -J On Wed, Aug 15, 2018 at 2:34 AM, Eric Covener wrote: > > Here's from the access.log: > > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET > /wormbot/img/icon_delete.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/ > experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) > Gecko/20100101 Firefox/61.0" > > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET > /wormbot/img/icon_download.png HTTP/1.1" 401 736 " > http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; > Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" > > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" > 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) > Gecko/20100101 Firefox/61.0" > > 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" > 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) > Gecko/20100101 Firefox/61.0" > > 127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET > /cgi-bin/experimentbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; > Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" > > 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET > /wormbot/img/icon_delete.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/ > experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) > Gecko/20100101 Firefox/61.0" > > 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET > /wormbot/img/icon_download.png HTTP/1.1" 401 735 " > http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; > Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" > > 127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1" > 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) > Gecko/20100101 Firefox/61.0" > > > > Looks like two page loads 30 seconds apart, but I notice there is no > request for the CGI itself for the first one but requests for the page > elements. > Are you sure there's no browser caching in the way here? And perhaps > the basic auth credentials are cached for the /cgi-bin/ path but the > browser doesn't send them automatically for the static elements that > don't share a context root? > > A private/incognito window, or temporarily logging %{Authorization}i > might clear some things up. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > -- /* Jason Pitt PhD 206.616.1193 Kaeberlein Lab jnpitt@uw.edu University of Washington Department of Pathology Health Sciences Building Box 357470 1989 NE Pacific Street Seattle, WA 98195 */ --000000000000f643810573804f91 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Ok I have a work around but I'm really unhappy wi= th it and I'd like it if someone can verify for me that I'm not doi= ng something wrong before I change my whole code base to deal with the cgi = scripts not being present in the apache default cgi-bin (on my system /usr/= lib/cgi-bin).=C2=A0 So when a client requests a file from the cgi-bin Apach= e seems to execute it before asking for Basic Authorization.=C2=A0 However = if I take the exact same apache2.config block, change the directory to some= thing somewhere else, in this case /var/www/html, add +ExecCGI and a handle= r for .cgi files...Apache has the behavior I'd expect.=C2=A0 It asks fo= r authorization, then executes the .cgi file.=C2=A0 Why on earth can't = I just do that for the default cgi-bin???

so this = works:
<Directory /var/www/html>
=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 Options Indexes FollowSymLinks ExecCGI
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AddHandler cgi-script .cgi
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AllowOverride None
=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 AuthUserFile /home/jpitt/wormbot/passwords
=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AuthType Basic
=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 AuthName "Kaebot"
=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 Require valid-user
</Directory>
<= div>
this asks for a password but executes the script regardl= ess of user input
<Directory /usr/lib/cgi-bin>
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Options Indexes FollowSymLinks ExecCGI=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AddHandler cgi-script .cgi
= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AllowOverride None
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AuthUserFile /home/jpitt/wormbot/password= s
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AuthType Basic
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AuthName "Kaebot"
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Require valid-user
</Directory><= /div>

exact same cgi script...just placed in different l= ocations

Is this a "feature" of Apache I= 'm just not appreciating?

-J






On Wed, Aug 15,= 2018 at 2:34 AM, Eric Covener <covener@gmail.com> wrote:
> Here's from the access.log:
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon= _delete.png HTTP/1.1" 401 736 "http://127.0.0.1/= cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Li= nux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon= _download.png HTTP/1.1" 401 736 "http://127.0.0.= 1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; = Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP= /1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_= 64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP= /1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_= 64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET /cgi-bin/experime= ntbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; Ubu= ntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon= _delete.png HTTP/1.1" 401 735 "http://127.0.0.1/= cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Li= nux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon= _download.png HTTP/1.1" 401 735 "http://127.0.0.= 1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; = Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP= /1.1" 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_= 64; rv:61.0) Gecko/20100101 Firefox/61.0"
>

Looks like two page loads 30 seconds apart, but I notice there is no
request for the CGI itself for the first one but requests for the page
elements.
Are you sure there's no browser caching in the way here?=C2=A0 And perh= aps
the basic auth credentials are cached for the /cgi-bin/ path but the
browser doesn't send them automatically for the static elements that don't share a context root?

A private/incognito window, or temporarily logging %{Authorization}i
might clear some things up.

-----------------------------------------------------------------= ----
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
/*
Jason Pit= t PhD =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 206.616.1193
Kaeberlei= n Lab =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 jnpitt@uw.edu
Un= iversity of Washington
Department of Pathology
Health Sciences Buildi= ng=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Box 357470
1989 NE Pacific St= reet
Seattle, WA 98195
*/
--000000000000f643810573804f91--