COMMAND

    ChiliSoft ASP

SYSTEMS AFFECTED

    ChiliSoft ASP

PROBLEM

    Mark  Krenz  found  following.   ASP  (Active  Server Pages) are a
    technology  initially  developed  by   Microsoft  to  tackle   the
    "dynamic content  on the  web" problem.   Chili!Soft is  a company
    that has released a piece  of software called Chili!Soft ASP  that
    makes ASP functionality available  on other operating systems  and
    webservers,  such  as  Linux,  Solaris  and  AIX,  HP-UX,  Apache,
    iPlanet, Lotus Domino and O'Reilly Website Pro.

    Under Un*x systems you can set the ChiliSoft ASP (CASP) daemon  to
    run in  one of  two different  security modes.   The first  one is
    defined mode, where you specify that the daemon be started as root
    and  then  run   as  the  user   you  specify  in   the  casp.cnfg
    configuration file.  As an  example, this mode would be  useful on
    a company who  runs their own  webserver and uses  one single user
    to own all their web content.

    The second mode  that CASP can  be run in  is inherited mode.   In
    this mode, the server is started by root and inherits the user and
    group information from each virtual host in the Apache  webserver.
    So if a virtual domain  called www.xyz.org was setup under  Apache
    with the directives "User john" and "Group vhttp", any script  run
    in that domain's webspace would run as the user john and the group
    vhttp.   And thus  the scripts  would be  restricted to  accessing
    files based on the access allowed to that user and group.  This is
    useful  for  ISPs  that  have  webservers  that are shared by many
    different virtual domain customers.

    While running CASP in the inherited security mode, none of the ASP
    scripts running under a user's virtual webspace inherit the  group
    that is specified with the Group directive in the domain's virtual
    host container.  So while the  scripts end up running as the  user
    specified with the  User directive, they  end up running  as group
    root.  This kinda defeats the whole purpose of inherited mode  and
    is a major security problem.

    This has been tested and  confirmed problem on a RedHat  Linux 6.2
    machine running RedHat  SecureWebServer 3.2.1, which  is basically
    Apache 1.3.9 with mod_ssl.

    All cobalt boxes that come with Chili!Soft have it on by  default.
    But they are not affected by  this bug as the inherit_user is  off
    by default.

SOLUTION

    This is a  known issue with  the software, and  has been addressed
    in the upcoming 3.6 round of releases.  A temporary solution might
    be to change  your security mode  to defined user  mode by setting
    inherit_user=0 and specifying  a user and  group to run  as in the
    casp.cnfg file.