COMMAND

    cgi in Xitami

SYSTEMS AFFECTED

    OS/2

PROBLEM

    The following note was sent to the Xitami mailing list.  Xitami is
    a  free  and  easily  configurable  web server for many platforms,
    including OS/2.   There is  the potential  on non-Unix  systems to
    open a security hole in Xitami whereby users can execute arbitrary
    CGI  programs  on  the  server.   This  is not possible on default
    configurations.

    The  security  hole  is  possible  because  Xitami  allows the CGI
    indicator, '/cgi-bin'  to occur  anywhere in  the URL.   This is a
    valid  CGI  URL,  assuming  that  'program.pl'  is  an  executable
    program, e.g. a Perl script:

        http://somehost/users/jondo/cgi-bin/program.pl

    If you have configured Xitami so that a user can upload files into
    the HTTP area using FTP,  then the user can also  upload arbitrary
    CGI programs and execute them on your system.

SOLUTION

    The next release of Xitami  will provide an option to  disable the
    wildcard matching of '/cgi-bin' in the URL.  In existing versions,
    you should run Xitami under a user ID that does not have access to
    sensitive  data,  if  the  operating  system  allows  this.  Newer
    version will be available via:

        http://www.imatix.com/

    Xitami doesn't support the *.cgi convention for CGI programs  that
    some webservers  (optionally) support.   As an  alternative Xitami
    has  a  feature  where  any  directory  named  "cgi-bin"  (or  the
    user-configured name) could be considered a cgi-bin directory, and
    cgi  programs  executed  out  of  it.   This  was documented, as a
    feature,  and  several  people  using  Xitami  make  use  of it to
    subdivide  their  cgi-bin  directories  (by project, etc), keeping
    the cgi programs near the relevant html files.  Xitami also has  a
    built in ftp server.  By  default this ftp server is pointed  at a
    different area from the  default webpages area (configured  for an
    anonymous  ftp  file   download  area).    However,  some   people
    configured it  so that  ftp access  into their  webpages area  was
    allowed (with suitable  username/passwords), to let  their clients
    (etc)  upload  new  webpages.   With  this  configuration  it  was
    possible for a  user to connect  with ftp, and  providing they had
    the right access rights (which also needed to be configured), they
    could create a new "cgi-bin" directory and then put a program into
    it.  Obviously this poses a security risk if you can't  completely
    trust the users who have  access to the webpages area  (ftp access
    can be restricted by both passwords, and also IP address  ranges).
    It is  a particular  concern under  operating systems  which don't
    provide non-privileged users (eg, Windows 95); and a  considerable
    number of  users of  Xitami use  it in  such an  environment.   So
    iMatix  issued  a  security  alert.   The default configuration is
    safe.  But  an inadvertant combination  of features can  lead to a
    security risk.