>Number: 4111 >Category: suexec >Synopsis: SSI #exec cmd="..." does not work with suexec enabled >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Mar 24 11:20:04 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.1 >Environment: Linux linux 2.0.32 #2 Mon Dec 29 09:42:18 CET 1997 i586 gcc version 2.7.2.1 >Description: When using the SSI command '#exec cmd="/usr/bin/cal 3 1999"' together with the suexec wrapper enabled, the command cannot be executed because 1. The command contains a slash on the first position 2. Arguments cannot be passed to programs via suexec >How-To-Repeat: Write a sample script an try it ... >Fix: Without knowing much of the internals of suexec, I sugges:
1. Try to separate path (/usr/bin) data from program name (cal) and then cwd to this path before executing suexec with just the program name (as cgi calls do) 2. The program name and its arguments are passed to suexec as one argument. Perhaps one should try to separate program and arguments within suexec by splitting at blanks. But this imposes that arguments and the program name must not contain blanks. Do these changes impose security problems? >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
