www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Nelson <bri...@earthlink.net>
Subject suexec/6933: suexec does not check cgi's from within the docroot (blind execution)
Date Wed, 06 Dec 2000 01:30:50 GMT

>Number:         6933
>Category:       suexec
>Synopsis:       suexec does not check cgi's from within the docroot (blind execution)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Dec 05 17:40:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     brinel@earthlink.net
>Release:        1.3.12
>Organization:
apache
>Environment:
Solaris 8 on UltraSparc gcc 2.95.2
>Description:
Cgi programs within the main docroot are not getting run through suexec. programs
called from user's directories go through suexec just fine. programs attampted to run
who are outside public_html and the main docroot, suexec makes an error saying that
the command is outside the docroot.

Programs called from the main docroot just get executed as if suexec was disabled.
It appears that suexec doesnt even get called in this condition.
>How-To-Repeat:
compile out of box w/suexec. add ExecCGI to docroot and add .cgi handeler
any .cgi progs run w/o suexec
>Fix:
Unless this is the correct behaviour.. I dont see any reason why it should be skipping
over the docroot stuff.
BTW the doc page fo suexec is _very_ scarce as far as behavior (maybe its supposed to do this?!?)
and examples and error explinations. That should be fixed
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message