Mailing List Archive

Tell them that there are two ways to deal with the situation. The first
is that they can simply move their cgi-bin directory out of DocumentRoot.
If they do that, the problme will vanish.

Alternatively, if they think they can't move the directory, they can just
drop a .htaccess file in the directory which says

DefaultType application/x-httpd-cgi
Options ExecCGI

(or, alternatively, add those to the <Directory> section for that directory
in access.conf). This should also make the problem vanish.

rst

I have forwarded the two solutions I mentioned earlier to
craig@netcentral.net, along with an attempt to explain the difficulties
in concocting an effective "fix" --- that it is highly likely to screw
up something else, and very difficult to come up with something that
we can be *sure* will make his arrangement (cgi-bin under DocumentRoot)
safe.

For instance, none of the "fixes" mentioned on this list to date will
suppress the effect he finds objectionable for paths of the form
/./cgi-bin/whatever --- doubled slashes are far from the only way to
violate the security of an improperly placed cgi-bin --- and if it's
properly placed, so that *matching* the ScriptAlias is the only way
to get there, then you just don't have to worry.

I think we serve users in his position better by letting them know
how to play it safe than by providing the illusion of safety when they
choose to play it fast and loose.

rst

forwarding message on the request of the user. Please do read it.


>X-POP3-Rcpt: awm@luers.qosina.com
>Date: Wed, 8 Nov 1995 16:09:24 -0600
>X-Sender: craig@ns1.netcentral.net
>To: "Aram W. Mirzadeh" <awm@qosina.com>
>From: craig@NetCentral.NET (Craig W. Hansen)
>Subject: Re: security bug?
>Cc: cy@NetCentral.NET, craig@NetCentral.NET
>
>Thanks for the update, Aram. I can offer two bits of input to your debate
>that cut to the heart of the issue. If appropriate, please quote this to
>your workgroup, but please withold my email address because, after all, our
>scripts are no longer secure (but I had to trust somebody, right? :-) ).
>
>---
>1. We have some very special programs, written in Perl, that are very
>proprietary in nature. Some of them define our uniqueness (and our revenue
>stream), and some contain proprietary code that could represent a security
>risk to our clients. This bug allows free access to the source code to
>these scripts, and is an unnacceptable vulnerability. This is an issue
>worthy of a CERT advisory. With the simple addition of an extra slash, a
>user can override the specific instructions that I have given Apache in
>it's configuration files -- period -- that's a textbook definition of a
>"bug". The Apache Group has a responsibility to not only fix this securtiy
>hole, but also to advise Apache users of the vulnerability as soon as a
>remedy is available.
>
>2. The reason we liked Apache is that it strives to be better than NCSA's
>versions. For instance, you don't follow the same paradigm for spawning
>multiple processes because yours is better than NCSA's. My humble opinion
>is that the Apache group should be concerned with competing with NCSA 1.5,
>Netscape's servers, and all the others and not conforming to NCSA 1.3's
>quirks. We have yet to find this cgi-bin behavior in any other web server
>on the Net (other than Apache systems), because NCSA httpd 1.3 is quite
>obsolete.
>---
>
>Thanks for working with us on this -- I would appreciate a copy of your
>patches to 1.8.14 as soon as it is convenient.
>
>Regards,
>
>Craig Hansen
>NetCentral, Inc.
>craig@netcentral.net
>
>--
>Craig Hansen
>President
>NetCentral, Inc.
>craig@netcentral.net
>http://www.netcentral.net/
>
>
>
--
Aram W. Mirzadeh, MIS Manager, Qosina Corporation
http://www.qosina.com/~awm/, awm@qosina.com
Apache httpd server team http://www.apache.org