Re: Security alert - CGI exploit in Xitami for OS/2

[ewen () NAOS CO NZ (Ewen McNeill)]

In message <Pine.GSO.3.95.iB1.0.980923230803.5268A-100000@halifax>, "Michael T.
Smith" writes:
> On Mon, 21 Sep 1998, Chuck Byam wrote:
> > The following note was sent to the Xitami mailing list Monday, September 21,
> > 1998.
> > [Security alert that Xitami has feature that allows cgi-bin
> > directories under webpages area, and that if ftp into webpages area
> > is enabled anyone with ftp access can upload their own cgi-bin programs]
>
> The thing is, this was always in the docs (it was considered a feature; I
> _think_ there was a way to turn it off but no one remembers how now ;). I
> guess people didn't catch this in the docs so iMatix did the right thing
> and posted the alert.

Xitami doesn't support the *.cgi convention for CGI programs that some
webservers (optionally) support.  As an alternative Xitami has a feature
where any directory named "cgi-bin" (or the user-configured name) could be
considered a cgi-bin directory, and cgi programs executed out of it.  This
was documented, as a feature, and several people using Xitami make use
of it to subdivide their cgi-bin directories (by project, etc), keeping
the cgi programs near the relevant html files.

Xitami also has a built in ftp server.  By default this ftp server is
pointed at a different area from the default webpages area (configured
for an anonymous ftp file download area).  However, some people configured
it so that ftp access into their webpages area was allowed (with
suitable username/passwords), to let their clients (etc) upload new webpages.

With this configuration it was possible for a user to connect with ftp,
and providing they had the right access rights (which also needed to be
configured), they could create a new "cgi-bin" directory and then put a
program into it.  Then they could run it by accessing it as:

http://servername/path/to/their/cgi-bin/program

Obviously this poses a security risk if you can't completely trust the
users who have access to the webpages area (ftp access can be restricted
by both passwords, and also IP address ranges).  It is a particular concern
under operating systems which don't provide non-privileged users (eg,
Windows 95); and a considerable number of users of Xitami use it in such
an environment.  So iMatix issued a security alert.

The default configuration is safe.  But an inadvertant combination of
features can lead to a security risk.

In all recent released versions of Xitami up to and incuding Xitami 2.3d1
(the currently released version) the "any cgi-bin directory" feature is
enabled, and there isn't a configuration option to switch it off.  The next
release (an alpha release is planned in the next few weeks) will have
that feature turned off, and an option to turn it on for people using
Xitami in an environment where security is less of a concern (eg, a
personal PC, or a small Intranet).  Until then iMatix advises people to
take care when allowing users ftp access into the webpages area.

Xitami is an Open Source program, and the source can be found on the
iMatix website (http://www.imatix.com/).  Anyone wishing to disable the
"any cgi-bin directory" feature prior to the next release can patch the
source (in smthttpl.c, http_get_url_type()) that detects cgi-bin URLs by
changing the existing strstr() match on the URL to something like
strncmp() (ie, match only at the start).

Ewen

--
Ewen McNeill, Technical Consultant, iMatix Corporation