WebApp Sec mailing list archives
Re: htaccess with apache
From: Graham Lally <scribe () exmosis net>
Date: Tue, 04 Nov 2003 13:49:13 +0000
Hi, Hans Mueller wrote:
I've got some simple cgi-Scripts on my server and he said he used one of them (XXXXXX.ziel.cgi?template=maske1.html.....)
Oh dear, oh dear. Looks like someone's not verifying the file being used as a template before displaying it from their CGI script. Is the CGI under the control of the .htpasswd file, or elsewhere/sciptaliased? Anyway, if not, or if someone has the password anyway...
XXXXXX.ziel.cgi?template=../.htpasswd XXXXXX.ziel.cgi?template=/etc/passwdIf you're using a simple Perl script (or indeed if you're doing /any/ Perl CGI coding), have a look through this at least:
<http://b0iler.eyeonsecurity.org/tutorials/hackingcgi.htm>You'll want to filter lots after that, although the easiest way is to restrict the template name to valid characters, and remove everything else. The regexp on the page is:
/^[\w\-\.]*$/ So if template doesn't match that, something's wrong. MORE IMPORTANTLY,/etc/passwd shouldn't be readable by the CGI server! I'm /guessing/ it's running as root (unless you have some weird set-up that involves chmodding passwd to 777) which is wrong wrong wrong and kind of wrong. Wrong... Check the config for a username to run it as, and change it to something that *doesn't* have root access. "nobody" is a common user.
Otherwise, if someone's accessing a protected cgi script without your say so, then either they got the password from somewhere (another cgi script, more social attacks...) or your config is set up bad.
Anyone Perl CGI-ing should be treated with utmost caution, especially when handing file pointers around.
hth, .g
to get the files. I thought a Directory secured with mod_access cannot be read/accessed without the proper password. Unfortunately the guy is not answering to my eMails and I want to secure my Webserver. Even if he just read the Files (Tripwire didn't show any changes), and didn't wrote something to the server. How is it possible to read the files secured with mod_access with a cgi script? Thanks to all an sorry for my funny English Hans
Current thread:
- htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)