Bugtraq mailing list archives
Re: Cobalt Networks - Security Advisory - Frontpage
From: nneul () UMR EDU (Neulinger, Nathan R.)
Date: Thu, 25 May 2000 13:44:05 -0500
When a site is uploaded with FP to a RaQ2/3, all of the files are owned by user "httpd" instead of a site-specific user. The Apache web server is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run as the user that owns the CGI instead of "httpd", but it is trivial to bypass cgiwrap and run scripts as user "httpd".
Just wanted to clarify here - the "it is trivial to bypass cgiwrap" is not a security flaw with CGIWrap, but with how the RaQ servers are set up. -- Nathan
Current thread:
- Cobalt Networks - Security Advisory - Frontpage Jeff Lovell (May 25)
- <Possible follow-ups>
- Re: Cobalt Networks - Security Advisory - Frontpage Neulinger, Nathan R. (May 25)