Re: htaccess with apache

[David Precious <davidp () pipex net>]

On Tuesday 04 November 2003 10:43 am, Hans Mueller wrote:
> How is it possible to read the files secured with mod_access
> with a cgi script?

Using a .htaccess file (or the same directives in a <Directory> block) 
will stop Apache from serving up files from that directory without 
authentication.

However, if you have an insecurely-designed CGI script, there's nothing 
to stop that from picking up the .htaccess file (or .htpasswd, or 
/etc/passwd if it can get it, etc etc) and pass it back to the 
attacker.

Let's say your script, XXXXXX.ziel.cgi?template=maske1.html, takes the 
value of the "template" parameter, loads it up, and returns it to the 
browser.  If the code is just something like:

open(FH, $template) 

then it'll work nicely and open the file maske1.html in the same 
directory the script is in.

OK, now say the CGI script is in /usr/local/apache/cgi-bin, and your 
webroot is /usr/local/apache/htdocs.  Under your webroot you have a 
directory called "secret" with a .htaccess file in there.

I now call the script as xxx.cgi?template=../htdocs/secret/.htaccess

The script now effectively calls:

open (FH, '../htdocs/secret/.htaccess')

- so instead of opening a HTML template which it's supposed to output, 
it's actually opening the .htaccess file, which it will then return to 
the browser.

The script(s) in question need securing immediately.  If nothing else, 
add some code to ensure you don't allow two dots ("..") to be included 
in the template filename.

Hope this explains it a bit!

Cheers

David P