Security alert - CGI exploit in Xitami for OS/2

[crb6x () virginia edu (Chuck Byam)]

-----BEGIN PGP SIGNED MESSAGE-----

The following note was sent to the Xitami mailing list Monday, September 21,
1998.

Xitami is a free and easily configurable web server for many platforms,
including OS/2.  More info can be found at:

  http://www.imatix.com/


Security alert
- --------------

There is the potential on non-Unix systems to open a security hole in Xitami
whereby users can execute arbitrary CGI programs on the server.

This is not possible on default configurations.

The security hole is possible because Xitami allows the CGI indicator,
'/cgi-bin' to occur anywhere in the URL.  This is a valid CGI URL, assuming
that 'program.pl' is an executable program, e.g. a Perl script:

  http://somehost/users/jondo/cgi-bin/program.pl

If you have configured Xitami so that a user can upload files into the HTTP
area using FTP, then the user can also upload arbitrary CGI programs and
execute them on your system.

The next release of Xitami will provide an option to disable the wildcard
matching of '/cgi-bin' in the URL.  In
existing versions, you should run Xitami under a user ID that does not have
access to sensitive data, if the operating system allows this.

- -
Pieter Hintjens
iMatix Corporation

- ---
CB
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQB1AwUBNgcPC0wjhOwytkrlAQHS/AMAh/ISjaEZLgd202g4oUPKO8pZmtyvgEH1
cvq06ujH758UGPv2VjtTMk2GQhdVPRvYMrjZ5r6mk6KObS0PJItz9x5pr0hqoouo
H7YCzbhTAABeV2sacnsCQklg/MkBp426
=MJ7A
-----END PGP SIGNATURE-----