>Number: 2860 >Category: general >Synopsis: .htaccess can be bypassed with cgi scripts which use >PATH_TRANSLATED info (Re: PR1418) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: change-request >Submitter-Id: apache >Arrival-Date: Fri Aug 14 18:20:02 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: any >Environment: any >Description: I have MSQL installed on our machine. With MSQL I also have installed w3-msql in the global /cgi-bin/ directory. MSQL Lite scripts can so embedded in normal html-code and then be parsed with http://server/cgi-bin/w3-msql/scripts/sql.html Some of these scripts should be protected for nonauthorized persons and should be kept in directories protected with .htaccess.
But with this limitation I can browse the complete WWW space, including password protected regions. Installing the program only in a protected cgi-bin doesn't help. Now I can browse the WWW space with only one password, instead of the many different passwords in several subdirectories. Since w3-msql cannot parse .htaccess files (and shouldn't, because it could be run on other WWW servers with a different security model) the only solution is, that the web server itself does the authorization. >How-To-Repeat: test.cgi: #!/bin/sh echo "Content-Type: text/plain" echo cat "$PATH_TRANSLATED" http://www.server/cgi-bin/test.cgi/securedir/securefile.txt >Fix: The .htaccess file of the destination of PATH_TRANSLATED should also be checked. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
