WebApp Sec mailing list archives
Re: htaccess with apache
From: David Precious <davidp () pipex net>
Date: Tue, 4 Nov 2003 13:10:44 +0000
On Tuesday 04 November 2003 10:43 am, Hans Mueller wrote:
How is it possible to read the files secured with mod_access with a cgi script?
Using a .htaccess file (or the same directives in a <Directory> block) will stop Apache from serving up files from that directory without authentication. However, if you have an insecurely-designed CGI script, there's nothing to stop that from picking up the .htaccess file (or .htpasswd, or /etc/passwd if it can get it, etc etc) and pass it back to the attacker. Let's say your script, XXXXXX.ziel.cgi?template=maske1.html, takes the value of the "template" parameter, loads it up, and returns it to the browser. If the code is just something like: open(FH, $template) then it'll work nicely and open the file maske1.html in the same directory the script is in. OK, now say the CGI script is in /usr/local/apache/cgi-bin, and your webroot is /usr/local/apache/htdocs. Under your webroot you have a directory called "secret" with a .htaccess file in there. I now call the script as xxx.cgi?template=../htdocs/secret/.htaccess The script now effectively calls: open (FH, '../htdocs/secret/.htaccess') - so instead of opening a HTML template which it's supposed to output, it's actually opening the .htaccess file, which it will then return to the browser. The script(s) in question need securing immediately. If nothing else, add some code to ensure you don't allow two dots ("..") to be included in the template filename. Hope this explains it a bit! Cheers David P
Current thread:
- htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)