>Number: 1406 >Category: general >Synopsis: Security error in non-parsed header (nph-*) scripts - >QUERY_STRING environment variable >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Nov 12 14:30:00 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.1.1 - 1.2.4 >Environment: BSDi versions 2.1 and 3.0
BSD/OS media.magma.ca 2.1 BSDI BSD/OS 2.1 Kernel #6: Tue Mar 25 20:01:02 EST 1997 [EMAIL PROTECTED]:/usr/src/sys/compile/LOCAL i386 BSD/OS media2.magma.ca 3.0 BSDI BSD/OS 3.0 Kernel #10: Fri Apr 25 12:32:45 EDT 1997 [EMAIL PROTECTED]:/usr/src/sys/compile/LOCAL i386 >Description: The problem is that the QUERY_STRING environment variable is NOT being set correctly for non-parsed header scripts. Apparently, the QUERY_STRING is considered to be a filename, and is expanded according to UNIX rules, including wildcards. Here's a simple non-parsed-header script (call if nph-test-cgi): --------------------------------- cut here ------------------------------------ #!/bin/sh echo HTTP/1.0 200 OK echo Content-type: text/plain echo Server: $SERVER_SOFTWARE echo echo CGI/1.0 test script report: echo echo argc is $#. argv is "$*". echo echo QUERY_STRING = $QUERY_STRING --------------------------------- cut here ------------------------------------ Assume your web server's domain name is "web.server.com". Go to the following URL: http://web.server.com/cgi-bin/nph-test-cgi?* The output from the CGI will not be quite what you would expect. You would expect that QUERY_STRING environment variable would equal "*", but instead it contains a listing of ALL of the files in the "cgi-bin" directory. It also allows relative paths, so that the URL http://web.server.com/cgi-bin/nph-test-cgi?../* will give you a listing of all of the files/directories in the "cgi-bin" directory's parent directory. By the way, the above script behaves properly if the script is NOT a non-parsed-header script. That is, the QUERY_STRING environment variable is equal to "*". >How-To-Repeat: See full description. >Fix: Attempt to set the QUERY_STRING environment variable in the same way (perhaps using the same code), whether the script is a non-parsed-header script or not >Audit-Trail: >Unformatted:
