DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21879>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21879 Global CGI RW Summary: Global CGI RW Product: Apache httpd-2.0 Version: 2.0.47 Platform: All OS/Version: All Status: NEW Severity: Major Priority: Other Component: mod_cgi AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Currently, a bug exists whereby at the minimum an attacker can read the contents of every file that Apache has access to. Potentially the attacker can also write to every file that Apache has access to. This bug involves CGI changing directories and then listing directory contents or file contents. Since CGI is executed either as the HTTPd user itself, or another global user, file system permissions can stop that user writing to disk. However, this doesn't help most win32 Operating Systems. As an effort to aid a possible solution, the only way I can see is to execute CGI as each specific user. For example, if the HTTP_USER is blank, then CGI should only be allowed "anonymous" access rights, and therefore access rights can be setup on a per-user basis. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
