Re: Security flaw in Cobalt RaQ2 cgiwrap

[nneul () UMR EDU (Nathan Neulinger)]

Just wanted to point out - this is specific to the modifications that
Cobalt has made to cgiwrap for their server's structure. It is not an
issue with the regular version of cgiwrap.

I don't completely understand all of their changes, but they have added
a bunch of code to how cgiwrap detects what user to run stuff as. (And
got rid of cgiwrapd, one of the more useful debugging tools.)

If there are any security concerns about the regular cgiwrap, please let
me know, as well as cc'ing it to bugtraq/etc.

-- Nathan

Chris Adams wrote:
> There is a problem (actually several) with the "cgiwrap" program on
> Cobalt RaQ2 servers.  It is supposed to run CGI programs as the proper
> user instead of "nobody" to make CGIs a little more secure.
>
> The Cobalt directory structure is as follows:
>
> /home/sites/site1/ - top level directory of the site (site1, site2, ...)
> /home/sites/site1/web - top level directory of the web site
> /home/sites/site1/users/*/web - top level directory of web sites for
>                                 individual users (like ~user/public_html)
>
> CGI scripts in the site /web directory should run as the user that owns
> the script and the site1 group (each site has its own group).  Instead,
> they run as user "nobody" group "nobody".
>
> The bigger problem is that cgiwrap apparently interprets top level
> directories of the site /web directory as users.  So if you have a CGI
> in a directory like /home/sites/site1/web/test/test.cgi and attempt to
> go to it at http://www.site1.com/test/test.cgi AND there is a user on
> the system named "test", cgiwrap thinks it should run the script as user
> "test".  It then actually attempts to run a script in /web directory of
> the user "test".
>
> This can be used to break other sites on a RaQ2 in several ways.  First
> of all, if there is are two sites on the system, and one has CGI scripts
> (say for example "submit.cgi") in a subdirectory of their site /web
> directory called "scripts", the admin(s) of the second site can keep any
> scripts in that directory from running by creating a user named
> "scripts" (cgiwrap will give a "file not found" error).  Second (and
> more serious for e-commerce type sites), if the second admin then
> creates programs with the same name in the users/scripts/web directory,
> they will be run when requests for the first site are made.
>
> When someone calls http://www.site1.com/scripts/submit.cgi,
> http://www.site2.com/users/scripts/submit.cgi will be run
> (transparently).  First, that will break site1, but it also can lead to
> private information being submitted to site1 being submitted to site2
> instead.  This is the biggest security problem.
>
> I notified Cobalt about this several weeks ago now, and they've said
> they are working on it, but that is it.  They haven't released any kind
> of notice or update as of yet either.
> --
> Chris Adams <cmadams () hiwaay net>
> Systems and Network Administrator - HiWAAY Information Services
> I don't speak for anybody but myself - that's enough trouble.

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul () umr edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216