Bugtraq mailing list archives

Re: Stupid bug in W3-msql

From: bambi () HUGHES COM AU (David J. Hughes)
Date: Fri, 20 Aug 1999 00:36:45 +1000


On Tue, 17 Aug 1999, gregory duchemin wrote:

there is a really stupid bug in w3-msql cgi-bin developped
by Hughes Technology: http://www.Hughes.com.au
This bug is a bit old but seams to be always actual in the
last release of this software: mini-sql v 2.0.10.1


This isn't a bug in our opinion, it's just the way embedded web scripting
works. There are security related facilities included in w3-mSQL to avoid
these problems and they are outined below.

It's very simple to exploit the flaw; An intruder is able to
look at everything on a remote web server even if the
directory is ".htaccess protected". (eg apache)

the first way to do it:

http://www.victim.org/cgi-bin/w3-msql/protected-directory/pr
ivate-file
note: in this case, the intruder 'll have to already know th
structure of the directory


W3-mSQL has always supported the concept of a private document tree.  If
you set the Force_Private option in the w3-msql section of the config file
to True then w3-msql will not access documents directly from your web
tree.  In that case it uses /usr/local/Hughes/www as the document root for
anything accessed via w3-msql.  This also allows you to hide your w3-msql
source code.

Included in the new 2.0.11 release (shipping from our web site and mirrors
on 20 Aug 1999) is a new configuration option called Force_Suffix.  If
set, w3-mSQL will only process files if the filename's suffix matches the
suffix specified in the config file.  Setting this to .msql for example
ensures that the rest of your pages cannot be accessed via w3-mSQL.

I hope this answers your concerns about w3-mSQL.

Bambi

---
                                    ______
   /   /            /                 /           /      David J. Hughes
  /___/       ___  /__  ___  ___     /  ___  ___ /__     Bambi () Hughes com au
 /   / /  /  /  / /  / /__/ /__     /  /__/ /   /  /     Managing Director
/   / /__/  /__/ /  / /__  ___/    /  /__  /__ /  / o    Hughes Technologies
            __/

Current thread:

Internet Auditing Project Elias Levy (Aug 13)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)
  - Re: Internet Auditing Project CyberPsychotic (Aug 16)
  - Re: Internet Auditing Project Viljo Hakala (Aug 17)
  - Stupid bug in W3-msql gregory duchemin (Aug 17)
    - Re: Stupid bug in W3-msql David J. Hughes (Aug 19)
    - Httpd Logging Methods v0rt (Aug 23)
- <Possible follow-ups>
- Re: Internet Auditing Project David Luyer (Aug 15)
  - Re: Internet Auditing Project Peter J. Holzer (Aug 17)
  - [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)

(Thread continues...)