>Number: 973 >Category: mod_cgi >Synopsis: Invalid request methods are processed by CGI module as GET >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Aug 6 20:50:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.1 >Environment: FreeBSD 2.1.X (all levels including 0, 5, 7) built with gcc >Description: A user can use an invalid request method for a cgi script like
BLAH /index.cgi HTTP/1.0 and it is processed by apache as if it were a GET. These should return the appropriate Accept headers and log an error to the error log about "Invalid method in request" but do not. This request currently runs the cgi and returns the output of the index.cgi script. A related problem, that made us first notice this, is that cgi scripts in directories protected with .htaccess that have <Limit GET POST> require valid-user </Limit> are still runable without authenticating the user if the request method is a non-supported one (such as BLAH above). Trying to retrieve regular files with the invalid request method results in attempts to authenticate (which is the correct behaviour). >How-To-Repeat: Yes. In the first case, just a telnet server 80 BLAH /index.cgi HTTP/1.0 works fine when it should not. For the second part, just setup a directory which controls access through <Limit GET POST> require valid-user </Limit> Put a CGI script and a regular html file there. Setup so that authentication is required to get either file and then use telnet server 80 BLAH /index.cgi HTTP/1.0 and you should be able to cause the script to be executed and return the output. telnet server 80 BLAH /index.html HTTP/1.0 will give the appropriate invalid request method error and accept header. >Fix: This may be a problem with other types of files, but, at least for CGI scripts, modified the cgi_handler routine to check to see that the request is valid will properly handle the first situation. I'm not sure about the second situation. %0 >Audit-Trail: >Unformatted:
