Re: Security flaw in Cobalt RaQ2 cgiwrap

[cmadams () HIWAAY NET (Chris Adams)]

Once upon a time, Nathan Neulinger <nneul () UMR EDU> said:
> Just wanted to point out - this is specific to the modifications that
> Cobalt has made to cgiwrap for their server's structure. It is not an
> issue with the regular version of cgiwrap.

That is correct.  I'm sorry if I wasn't clear about that.  It also only
appears to be a problem only on the RaQ2, not the original RaQ.

> I don't completely understand all of their changes, but they have added
> a bunch of code to how cgiwrap detects what user to run stuff as. (And
> got rid of cgiwrapd, one of the more useful debugging tools.)

cgiwrapd is still there, it just isn't directly obvious how to use it.
If you normally call your script as

http://www.site1.com/test.cgi

you can call it as

http://www.site1.com/cgiwrapDir/cgiwrapd/test.cgi

to run it under cgiwrapd.  Basically they ScriptAlias "cgiwrapDir" to
the directory where cgiwrap is installed.

Cobalt has an updated package available on their FTP site (I haven't
received anything official about it, but I found it, installed it, and
tested it).  It appears to fix all of the bugs I found, and changes the
behavior some.  Instead of running scripts in the site's /web directory
as user "nobody" and the site's group, it runs them as the owner of the
script, _if_ that user is a member of the site's admin group.  I like
that better than running all site CGIs as "nobody".

--
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.