WebApp Sec mailing list archives

Re: htaccess with apache

From: Graham Lally <scribe () exmosis net>
Date: Tue, 04 Nov 2003 13:49:13 +0000

Hi,

Hans Mueller wrote:

I've got some simple cgi-Scripts on my server and he said
he used one of them (XXXXXX.ziel.cgi?template=maske1.html.....)

Oh dear, oh dear. Looks like someone's not verifying the file being usedas a template before displaying it from their CGI script. Is the CGIunder the control of the .htpasswd file, or elsewhere/sciptaliased?Anyway, if not, or if someone has the password anyway...


XXXXXX.ziel.cgi?template=../.htpasswd
XXXXXX.ziel.cgi?template=/etc/passwd

If you're using a simple Perl script (or indeed if you're doing /any/Perl CGI coding), have a look through this at least:


<http://b0iler.eyeonsecurity.org/tutorials/hackingcgi.htm>

You'll want to filter lots after that, although the easiest way is torestrict the template name to valid characters, and remove everythingelse. The regexp on the page is:


        /^[\w\-\.]*$/

So if template doesn't match that, something's wrong.

MORE IMPORTANTLY,

/etc/passwd shouldn't be readable by the CGI server! I'm /guessing/ it'srunning as root (unless you have some weird set-up that involveschmodding passwd to 777) which is wrong wrong wrong and kind of wrong.Wrong... Check the config for a username to run it as, and change it tosomething that *doesn't* have root access. "nobody" is a common user.

Otherwise, if someone's accessing a protected cgi script without yoursay so, then either they got the password from somewhere (another cgiscript, more social attacks...) or your config is set up bad.

Anyone Perl CGI-ing should be treated with utmost caution, especiallywhen handing file pointers around.


hth,
.g

to get the files. I thought a Directory secured with mod_access
cannot be read/accessed without the proper password.
Unfortunately the guy is not answering to my eMails
and I want to secure my Webserver. Even if he just read
the Files (Tripwire didn't show any changes), and didn't
wrote something to the server.

How is it possible to read the files secured with mod_access
with a cgi script?

Thanks to all an sorry for my funny
English

Hans

Current thread:

htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
  - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache Sverre H. Huseby (Nov 04)
    - Re: htaccess with apache Tim Tompkins (Nov 04)
    - Re: htaccess with apache Lucas Holt (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 05)
    - Re: htaccess with apache Graham Lally (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache António Vasconcelos (Nov 05)

(Thread continues...)