www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Tutubalin <l...@lexa.ru>
Subject mod_include/3184: <!--#exec cmd="/path/cmd" is not a subject of any restrictions (<Directory> etc)
Date Mon, 12 Oct 1998 06:42:11 GMT

>Number:         3184
>Category:       mod_include
>Synopsis:       <!--#exec cmd="/path/cmd" is not a subject of any restrictions (<Directory>
etc)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Sun Oct 11 23:50:00 PDT 1998
>Last-Modified:
>Originator:     lexa@lexa.ru
>Organization:
apache
>Release:        1.3.3
>Environment:
FreeBSD 2.2.7 w/ gcc 2.7.2.1, but problem avaliable on all Unix machines
>Description:
There is no way to open access for #include virtual or #exec cgi
without giving access to #exec cmd command _without_ any restrictions.

I'm running Apache with many virtual hosts, managed by different peoples.
I want to give access to #include several audited scripts (such as banner systems,
generic footers etc) into user HTML files. Such scripts should resides in
directory, writable only by auditing team.

Unfortunately, with '#exec cmd' user can run _any_ code on my machine if he
can upload files into his home directory, change mode to 0755 and
can guess real path to these files (from httpd's point of view). It is possible
to run any local exploit, mass spam-sending programs and so on.

All other SSI features are not subject of this problem - I can enable Options 
Includes for  user's directory, but enable ExecCGI only for tested scripts.
>How-To-Repeat:

>Fix:
There is several ways:
1) Optimal - put #exec cmd into same restrictions as other CGI calls -
options ExecCGI should be on
2) Palliative - virtual server or directory-wide directive for disabling/
enabling #exec cmd feature
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]




Mime
View raw message