[ http://www.rootshell.com/ ] www-sql is a cgi program to access a mysql database via a http server and create easyly some pages from a query result. That program acts as a filter, using PATH_TRANSLATED feature to access html files on your server tree, and it translates tags into html viewable text, letting other parts of the html file unchanged. The problem is that www-sql performs nothing to verify if a user can access the intended PATH_TRANSLATED file. So, suppose your htdocs tree is /home/htdocs/ you have a subdirectory /home/htdocs/protected/ in which you have you have restricted access using .htaccess file. In your browser, enter URL http://your.server/protected/something.html: you get prompted a username and a password. Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html: you get the requested file www-sql is available into Incoming sunsite directory Christophe Leroy ---------------------------------------------------------------------------- On 09-Feb-98 Mr LEROY christophe wrote: >www-sql is a cgi program to access a mysql database via a http server >and create easyly some pages from a query result. > >That program acts as a filter, using PATH_TRANSLATED feature to >access html files on your server tree, and it translates tags >into html viewable text, letting other parts of the html file unchanged. > >The problem is that www-sql performs nothing to verify if a user can >access the intended PATH_TRANSLATED file. > >So, suppose your htdocs tree is /home/htdocs/ >you have a subdirectory /home/htdocs/protected/ in which you have >you have restricted access using .htaccess file. >In your browser, enter URL http://your.server/protected/something.html: >you get prompted a username and a password. >Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html: >you get the requested file > >www-sql is available into Incoming sunsite directory This is a common characteristic of other "cgi-wrapper" programs as well, including w3-msql and php.cgi. The latter addresses this by giving one the option to set PATTERN_RESTRICT at compile time (that way it will only load files ending in say ".phtml"), or by compiling as an apache module. I'm not sure about w3-msql because I haven't been following it for quite some time. regards, markjr --- Mark Jeftovic aka: mark jeff or vic, stunt pope. markjr@shmOOze.net http://www.shmOOze.net/~markjr PWC's BOFH http://www.PrivateWorld.com irc: L-bOMb Keep `em Guessing ---------------------------------------------------------------------------- Someone wrote: > On 09-Feb-98 Mr LEROY christophe wrote: > >The problem is that www-sql performs nothing to verify if a user can > >access the intended PATH_TRANSLATED file. > > > This is a common characteristic of other "cgi-wrapper" programs as well, > including w3-msql and php.cgi. The latter addresses this by giving one > the option to set PATTERN_RESTRICT at compile time (that way it will > only load files ending in say ".phtml"), or by compiling as an apache > module. I'm not sure about w3-msql because I haven't been following it > for quite some time. > regards, markjr I use PHP/FI as a cgi program with Apache and Apache's Action directive. To stop this bug, I added this to php/fi 2.0b12's main.c file (around line 45): #if PHPFASTCGI while(FCGI_Accept() >= 0) { #endif + s = getenv("REDIRECT_STATUS"); + if(!s) { + puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform sa@hogia.net of what you just did.\n"); + exit(1); + } s = getenv("PATH_TRANSLATED"); This prevents the script from being called directly via an URL since that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to the PHP/FI development list, but I never heard anything from them (probably because they were going to drop the cgi support). /Sebastian ---------------------------------------------------------------------------- At 11:57 10/02/98 +0100, Sebastian Andersson wrote: >I use PHP/FI as a cgi program with Apache and Apache's Action >directive. To stop this bug, I added this to php/fi 2.0b12's main.c >file (around line 45): > >#if PHPFASTCGI > while(FCGI_Accept() >= 0) { >#endif > >+ s = getenv("REDIRECT_STATUS"); >+ if(!s) { >+ puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform sa@hogia.net of what you just did.\n"); >+ exit(1); >+ } > > s = getenv("PATH_TRANSLATED"); > > >This prevents the script from being called directly via an URL since >that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to >the PHP/FI development list, but I never heard anything from them >(probably because they were going to drop the cgi support). Hi, CGI support isn't going away anytime soon. It's supported in the new version (PHP 3.0) and isn't scheduled to be discontinued. Note that even with your patch, people on your machine with permissions to use PHP scripts will still be able to access files with the same permissions as the user running the web server (or the CGI, if you use suexec), possibly overriding any apache .htaccess restrictions. However, you can configure this using safe mode. In any case, your patch does give some extra security to the CGI version of PHP when using apache's Action feature, so I added it to the source tree of PHP 3. Thanks for the suggestion. Zeev --- Zeev Suraski Web programmer, System administrator, Netvision LTD http://bourbon.netvision.net.il/ ICQ: 1450980 For a PGP public key, finger bourbon@netvision.net.il ----------------------------------------------------------------------------