Bugtraq mailing list archives
Re: Stupid bug in W3-msql
From: bambi () HUGHES COM AU (David J. Hughes)
Date: Fri, 20 Aug 1999 00:36:45 +1000
On Tue, 17 Aug 1999, gregory duchemin wrote:
there is a really stupid bug in w3-msql cgi-bin developped by Hughes Technology: http://www.Hughes.com.au This bug is a bit old but seams to be always actual in the last release of this software: mini-sql v 2.0.10.1
This isn't a bug in our opinion, it's just the way embedded web scripting works. There are security related facilities included in w3-mSQL to avoid these problems and they are outined below.
It's very simple to exploit the flaw; An intruder is able to look at everything on a remote web server even if the directory is ".htaccess protected". (eg apache) the first way to do it: http://www.victim.org/cgi-bin/w3-msql/protected-directory/pr ivate-file note: in this case, the intruder 'll have to already know th structure of the directory
W3-mSQL has always supported the concept of a private document tree. If you set the Force_Private option in the w3-msql section of the config file to True then w3-msql will not access documents directly from your web tree. In that case it uses /usr/local/Hughes/www as the document root for anything accessed via w3-msql. This also allows you to hide your w3-msql source code. Included in the new 2.0.11 release (shipping from our web site and mirrors on 20 Aug 1999) is a new configuration option called Force_Suffix. If set, w3-mSQL will only process files if the filename's suffix matches the suffix specified in the config file. Setting this to .msql for example ensures that the rest of your pages cannot be accessed via w3-mSQL. I hope this answers your concerns about w3-mSQL. Bambi --- ______ / / / / / David J. Hughes /___/ ___ /__ ___ ___ / ___ ___ /__ Bambi () Hughes com au / / / / / / / / /__/ /__ / /__/ / / / Managing Director / / /__/ /__/ / / /__ ___/ / /__ /__ / / o Hughes Technologies __/
Current thread:
- Internet Auditing Project Elias Levy (Aug 13)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)
- Re: Internet Auditing Project CyberPsychotic (Aug 16)
- Re: Internet Auditing Project Viljo Hakala (Aug 17)
- Stupid bug in W3-msql gregory duchemin (Aug 17)
- Re: Stupid bug in W3-msql David J. Hughes (Aug 19)
- Httpd Logging Methods v0rt (Aug 23)
- <Possible follow-ups>
- Re: Internet Auditing Project David Luyer (Aug 15)
- Re: Internet Auditing Project Peter J. Holzer (Aug 17)
- [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)