Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: www-sql cgi prog overrides .htaccess restrictions.

From: markjr () SHMOOZE NET (Stunt Pope)
Date: Mon, 9 Feb 1998 12:27:25 -0500

On 09-Feb-98 Mr LEROY christophe wrote:

www-sql is a cgi program to access a mysql database via a http server
and create easyly some pages from a query result.

That program acts as a filter, using PATH_TRANSLATED feature to
access html files on your server tree, and it translates <! sql ...> tags
into html viewable text, letting other parts of the html file unchanged.

The problem is that www-sql performs nothing to verify if a user can
access the intended PATH_TRANSLATED file.

So, suppose your htdocs tree is /home/htdocs/
you have a subdirectory /home/htdocs/protected/ in which you have
you have restricted access using .htaccess file.
In your browser, enter URL http://your.server/protected/something.html:
you get prompted a username and a password.
Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html:
you get the requested file

www-sql is available into Incoming sunsite directory


This is a common characteristic of other "cgi-wrapper" programs as well,
including w3-msql and php.cgi. The latter addresses this by giving one
the option to set PATTERN_RESTRICT at compile time (that way it will
only load files ending in say ".phtml"), or by compiling as an apache
module. I'm not sure about w3-msql because I haven't been following it
for quite some time.

regards, markjr

---
Mark Jeftovic                   aka: mark jeff or vic, stunt pope.
markjr () shmOOze net              http://www.shmOOze.net/~markjr
PWC's BOFH                      http://www.PrivateWorld.com
irc: L-bOMb                     Keep `em Guessing
Previous By Date Next
Previous By Thread Next

Current thread: