>Number: 1173 >Category: mod_access >Synopsis: Authorized user is not passed to CGI scripts >Confidential: no >Severity: critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Sep 29 04:10:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.1 >Environment: SunOS sol 5.5.1 Generic_103640-08 sun4m sparc SUNW,SPARCstation-10
gcc --version 2.7.2 >Description: A database frontend was set up through the Apache 1.2.1 webserver. This frontend connects a mSQL database in order to update it. User authorization is done using the mod_auth_msql module. The database frontend is setup as a frameset (of 2 frame) of which the right frame contains a menu and the left contains the FORMS pages, which allow updating data items. As I can see in the access log file, the HTTP server prompts for the user name an the password, authorizes the user and returns either the frameset as well as the right frame to that user. The CGI script, which is contained in the left frame is called without the authorized user environment variable (REMOTE USER) being set up accordingly. The log file shows the following gate.class.de - admin [29/Sep/1997:12:46:18 +0200] "GET /Admin/ HTTP/1.0" 200 644 gate.class.de - admin [29/Sep/1997:12:46:19 +0200] "GET /Admin/right.html HTTP/1.0" 200 1032 gate.class.de - - [29/Sep/1997:12:46:20 +0200] "GET /Gifs/syslog1.gif HTTP/1.0" 200 14677 gate.class.de - - [29/Sep/1997:12:46:20 +0200] "GET /cgi-bin/nph-count?width=5&link=/admin.html HTTP/1.0" 200 1759 gate.class.de - "" [29/Sep/1997:12:46:22 +0200] "GET /cgi-bin/Admin/main.pl HTTP/1.0" 200 1952 gate.class.de - - [29/Sep/1997:12:46:22 +0200] "GET /Headgrafs/01.gif HTTP/1.0" 404 169 As you can see in the 5th line, instaed of the user name, an empty string is shown for the CGI request. This problem was not present in Apache 1.1.1. It first occured when we updated to Apache 1.2.1. >How-To-Repeat: There's no site containing this bug which is public available. The database is mission-critical, so I'm not allowed to pas you a password. >Fix: N >Audit-Trail: >Unformatted:
