Here's a description of the problem:
mod_dtcl's list of commands includes hgetvars which creates several tcl
arrays. One such array, ENVS, contains the sub-process environment provided
by the Apache web server as well as the headers sent by the client. Because
the environment variables and client http headers are combined into one
array, it is possible in rare circumstances for a specifically-formed http
request to spoof the existence of certain environment variables.
Exploiting:
A ttml script could be fooled if an http client request is formed so that a
header has the same name as a common environment variable that is not always
present in the environment (such as REMOTE_USER) and the ttml script uses
the mere existence of that environment variable to perform certain tasks.
Example:
GET /somescript.ttml HTTP/1.1
Host: somesite.com
REMOTE_USER: someuser
Example of script fragment (most likely included on pages site wide via
parse command, source command or Apache directives) that would be fooled:
hgetvars
if {[info exists ENVS(REMOTE_USER)]} {
# This is a valid user in a protected area
# Display confidential information for this user
...
}
The fixed version places the http headers into a separate array
(CLIENT_ENVS). The headers are still accessible in ENVS via common cgi
environment name, ie:
ENVS(HTTP_USER_AGENT) would contain the same value as
CLIENT_ENVS(User-Agent)
David W. was able to release the fixed version *very* quickly admist a
*very* busy travel schedule. So cheers to him.
Thanks,
David Brancato
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
