Bugtraq mailing list archives
Re: www-sql cgi prog overrides .htaccess restrictions.
From: markjr () SHMOOZE NET (Stunt Pope)
Date: Mon, 9 Feb 1998 12:27:25 -0500
On 09-Feb-98 Mr LEROY christophe wrote:
www-sql is a cgi program to access a mysql database via a http server and create easyly some pages from a query result. That program acts as a filter, using PATH_TRANSLATED feature to access html files on your server tree, and it translates <! sql ...> tags into html viewable text, letting other parts of the html file unchanged. The problem is that www-sql performs nothing to verify if a user can access the intended PATH_TRANSLATED file. So, suppose your htdocs tree is /home/htdocs/ you have a subdirectory /home/htdocs/protected/ in which you have you have restricted access using .htaccess file. In your browser, enter URL http://your.server/protected/something.html: you get prompted a username and a password. Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html: you get the requested file www-sql is available into Incoming sunsite directory
This is a common characteristic of other "cgi-wrapper" programs as well, including w3-msql and php.cgi. The latter addresses this by giving one the option to set PATTERN_RESTRICT at compile time (that way it will only load files ending in say ".phtml"), or by compiling as an apache module. I'm not sure about w3-msql because I haven't been following it for quite some time. regards, markjr --- Mark Jeftovic aka: mark jeff or vic, stunt pope. markjr () shmOOze net http://www.shmOOze.net/~markjr PWC's BOFH http://www.PrivateWorld.com irc: L-bOMb Keep `em Guessing
Current thread:
- An update on MS private key (in)security issues, (continued)
- An update on MS private key (in)security issues Aleph One (Feb 06)
- Another ld-linux.so problem Solar Designer (Feb 06)
- CERT Advisory CA-98.04 - NT.WebServers Phillip R. Jaenke (Feb 06)
- Re: CERT Advisory CA-98.04 - NT.WebServers David LeBlanc (Feb 06)
- serious security hole in KDE Beta 3 Tudor Bosman (Feb 06)
- Re: Another ld-linux.so problem joost witteveen (Feb 07)
- Re: Another ld-linux.so problem Solar Designer (Feb 07)
- Re: Another ld-linux.so problem carson () tla org (Feb 07)
- Re: Another ld-linux.so problem Aleph One (Feb 08)
- www-sql cgi prog overrides .htaccess restrictions. Mr LEROY christophe (Feb 09)
- Re: www-sql cgi prog overrides .htaccess restrictions. Stunt Pope (Feb 09)
- SNI-24: IDS Vulnerabilities Secure Networks Inc. (Feb 09)
- AIX/Gradient iFOR/LS bug: follows symlinks Joerg Schumacher (Feb 09)
- Re: AIX/Gradient iFOR/LS bug: follows symlinks Troy A. Bollinger (Feb 09)
- CFP - Recent Advances in Intrusion Detection (RAID'98) Marc Dacier (Feb 10)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Insecure temporary ibm-ers () ERS IBM COM (Feb 10)
- Re: Another ld-linux.so problem Roman Drahtmueller (Feb 08)
- ld confusion Aleph One (Feb 10)
- Re: ld confusion Cristian Gafton (Feb 11)
- Sun Security Bulletin #00162 Howie (Feb 10)
- SMB redirect program for NT Weld Pond (Feb 10)