Re: Cobalt Networks - Security Advisory - Frontpage

[nneul () UMR EDU (Neulinger, Nathan R.)]

> When a site is uploaded with FP to a RaQ2/3, all of the files
> are owned by user "httpd" instead of a site-specific user.
> The Apache web server is also running as user "httpd".  Cobalt
> uses cgiwrap to have CGIs run as the user that owns the CGI
> instead of "httpd", but it is trivial to bypass cgiwrap and
> run scripts as user "httpd".

Just wanted to clarify here - the "it is trivial to bypass cgiwrap" is not a
security flaw with CGIWrap, but with how the RaQ servers are set up.

-- Nathan