www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Hamisch <j...@agix.net>
Subject mod_access/1173: Authorized user is not passed to CGI scripts
Date Mon, 29 Sep 1997 11:10:02 GMT

>Number:         1173
>Category:       mod_access
>Synopsis:       Authorized user is not passed to CGI scripts
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Sep 29 04:10:01 1997
>Originator:     jens@agix.net
>Release:        1.2.1
SunOS sol 5.5.1 Generic_103640-08 sun4m sparc SUNW,SPARCstation-10

gcc --version 
A database frontend was set up through the Apache 1.2.1 webserver.
This frontend connects a mSQL database in order to update it. User
authorization is done using the mod_auth_msql module.

The database frontend is setup as a frameset (of 2 frame) of which
the right frame contains a menu and the left contains the FORMS
pages, which allow updating data items. 

As I can see in the access log file, the HTTP server prompts for the
user name an  the password, authorizes the user and returns either
the frameset as well as the right frame to that user. The CGI script,
which is contained in the left frame is called without the authorized
user environment variable (REMOTE USER) being set up accordingly. The
log file shows the following

gate.class.de - admin [29/Sep/1997:12:46:18 +0200] "GET /Admin/ HTTP/1.0" 200 644
gate.class.de - admin [29/Sep/1997:12:46:19 +0200] "GET /Admin/right.html HTTP/1.0" 200 1032
gate.class.de - - [29/Sep/1997:12:46:20 +0200] "GET /Gifs/syslog1.gif HTTP/1.0" 200 14677
gate.class.de - - [29/Sep/1997:12:46:20 +0200] "GET /cgi-bin/nph-count?width=5&link=/admin.html
HTTP/1.0" 200 1759
gate.class.de - "" [29/Sep/1997:12:46:22 +0200] "GET /cgi-bin/Admin/main.pl HTTP/1.0" 200
gate.class.de - - [29/Sep/1997:12:46:22 +0200] "GET /Headgrafs/01.gif HTTP/1.0" 404 169

As you can see in the 5th line, instaed of the user name, an empty string is
shown for the CGI request.

This problem was not present in Apache 1.1.1. It first occured when we updated
to Apache 1.2.1.
There's no site containing this bug which is public available. The database
is mission-critical, so I'm not allowed to pas you a password.

View raw message