>Number: 1418 >Category: mod_actions >Synopsis: htaccess files can be bypassed when actions are used >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: change-request >Submitter-Id: apache >Arrival-Date: Fri Nov 14 06:10:00 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 >Environment: FreeBSD 2.1.5, gcc 2.6.3 `uname -a` = FreeBSD nmg.nl 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #0: Sat Sep 21 20:55:20 MET DST 1996 [EMAIL PROTECTED]:/usr/src/sys/compile/NMG i386 >Description: In most of my projects I use the Apache webserver because it is the best there is. Unfortunately I stumbles upon the following problem when investigating writing a CGI program that will process all files ending in a certain extensions (e.g. to make a server-side programming langauge like PHP or Cold Fusion).
There is a security problem when an action is installed to let a CGI program process all files ending in a certain extension, e.g.: AddHandler prhtml-action prhtml Action prhtml-action /cgi-bin/process.cgi When access to the URL http://host.com/secure/file.prhtml is secured by a password (because the directory "/secure" is), it is still possible to get at the file _without_ giving the proper credentials by accessing the URL http://host.com/cgi-bin/process.cgi/secure/file.prhtml when the directory "/cgi-bin" is not protected by a password. Thanks, Vincent. >How-To-Repeat: 1) Intall a handler by adding the following lines to httpd.conf: AddHandler prhtml-action prhtml Action prhtml-action /cgi-bin/process.cgi 2) Write a CGI program called process.cgi that displays the environment and prints the file passed in PATH_TRANSLATED, and place this CGI program in /cgi-bin. 3) Make a directory "/secure" and place an .htaccess-file in it that prohibits all access (deny from all) 4) Put a file called "file.prhtml" in that directory. 5) Access the URI "/secure/file.prhtml". This should give a "permission denied" error. 6) Access the URI "/cgi-bin/process.cgi/secure/file.prhtml". This will give you the contents of "/secure/file.prhtml". >Fix: The module "mod_actions" seems to use an internal_redirect to implements actions like these. Maybe a subrequest could be made with a special flag that prevents access-checking. That way the directory "/cgi-bin" could be secured without harming access to a file like "/notsecure/file.prhtml". %0 >Audit-Trail: >Unformatted:
