COMMAND
www-sql
SYSTEMS AFFECTED
Systems running www-sql
PROBLEM
Leroy Christophe found following. www-sql is a cgi program to
access a mysql database via a http server and create easyly some
pages from a query result. That program acts as a filter, using
PATH_TRANSLATED feature to access html files on your server tree,
and it translates <! sql ...> tags into html viewable text,
letting other parts of the html file unchanged. The problem is
that www-sql performs nothing to verify if a user can access the
intended PATH_TRANSLATED file.
So, suppose following:
- your htdocs tree is /home/htdocs/
- you have a subdirectory /home/htdocs/protected/ in which
- you have restricted access using .htaccess file.
In your browser, enter URL:
http://your.server/protected/something.html
you get prompted a username and a password. Now, enter URL:
http://your.server/cgi-bin/www-sql/protected/something.html
and you get the requested file without any restrictions. www-sql
is available into Incoming sunsite directory.
SOLUTION
According to Mark Jeftovic this is a common characteristic of
other "cgi-wrapper" programs as well, including w3-msql and
php.cgi. The latter addresses this by giving one the option to
set PATTERN_RESTRICT at compile time (that way it will only load
files ending in say ".phtml"), or by compiling as an apache
module. According to Sebastian Andersson he stopped this bug
with PHP/FI as a cgi program with Apache and Apache's Action
directive adding this to php/fi 2.0b12's main.c file (around line
45):
#if PHPFASTCGI
while(FCGI_Accept() >= 0) {
#endif
+ s = getenv("REDIRECT_STATUS");
+ if(!s) {
+ puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform sa@hogia.net of what you just did.\n");
+ exit(1);
+ }
s = getenv("PATH_TRANSLATED");
This prevents the script from being called directly via an URL
since that wouldn't set the REDIRECT_STATUS variable.