Insecure installations of cgi wrappers (RTFM people!)

[Nathan Neulinger <nneul () umr edu>]

This isn't really a reporting of a vulnerability, it's more a reporting
of mind-bogglingly foolish administrators that refuse to follow
installation instructions and read the documentation.

(I've cc'd this to both the cgiwrap and apache development mailing
lists, but I'm sure certain it's not news to readers of either.)

Note the following from cgiwrap documentation:

---
   *VERY IMPORTANT* - Do NOT allow any non-trusted user to run scripts
          directly out of the main cgi-bin directory, as this will allow
          them to use cgiwrap to run any of the other users scripts. The
          reason for this is that if they can run scripts as the same
          userid as the web server, they can subvert some of cgiwrap's
          security checks to allow them to run other users scripts. I
          recommend not running ANY scripts on the web server directly,
          once you have cgiwrap installed.
---

I FREQUENTLY receive messages like this:

---
Hi :

My web host provides us with CgiWrap access.

However they only treat scripts installed inside cgi-bin to run as user
me and not nobody.

I wanted to know if there is a way to get CgiWrap to get
scripts installed outside cgi-bin to run as user me, and not
nobody ?
---

What that tell's me is that web host is a security disaster waiting to
happen because they are allowing both cgiwrap and scripts run directly
from cgi-bin. It won't necessarily give root or anything like that, but
it allows cgi scripts to have their environment COMPLETELY subverted. If
there are any scripts that rely upon the authentication or access
control provided by the web server (such as scripts to administer the
contents of databases), they can be subverted simply because all of that
information is passed via environment variables.

I hate to see cgiwrap or apache/suexec or any of the other wrappers get
the blame for administrators not reading the documentation.

About the only way I can think of getting around this problem would be
to have some sort of web-server -> cgi-wrapper token passing taking
place with a shared secret compiled into the wrapper executable,
combined with non-readable wrapper executables and web server config.
(And I haven't thought about it enough to be sure that wouldn't be
exploitable. With some of the ptrace stuff, I'd bet it probably could be
exploited pretty quick.) To my knowledge, none of the wrappers are
currently doing anything like this. CGIwrap most certainly isn't. 

-- Nathan
(Author of CGIwrap)

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul () umr edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216