>Number: 337 >Category: general >Synopsis: Secure CGI scripts can be run by unauthorized users >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Apr 9 01:20:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2bX >Environment: Solaris 2.5, Apache 1.2b7, gcc, although I think it is a fairly general problem >Description: A CGI script is in a password protected area (using .htaccess protection). Theoretically, a user on the system could create a CGI script that executes the password protected script, setting the correct environment variables and giving it the correct parameters that ensure the script cannot detect that it is being run by another script rather than the httpd daemon. I guess this is just a general problem with CGI security itself, but I wondered if anybody has had this happen, or if there is any way to ensure that it doesn't happen. My guess is to ensure that the parent process id of the parent process of the CGI script is the process id logged to disk when httpd starts. Is this enough? >How-To-Repeat: I haven't tried this but I could fairly easily generate it if you need me to. Like I said, it is just a general concern. >Fix: Just make a note in the security docs for Apache that some checking should be done within the CGI script if it is really meant to be secure. I've not seen anything on this anywhere. This is even more critical if the CGI script is setuid so that it has some real access to the server. Really, it's probably just one of the many millions of possible problems that are opened by providing CGI access, even through CGI wrappers >Audit-Trail: >Unformatted:
