COMMAND

    W3-msql

SYSTEMS AFFECTED

    Those running mSQL

PROBLEM

    Gregory Duchemin found following.  There is a really stupid bug in
    w3-msql cgi-bin developped  by Hughes Technology.   This bug is  a
    bit old but seams to be always actual in the last release of  this
    software: mini-sql v 2.0.10.1

    It's very simple to exploit the flaw;  An intruder is able to look
    at everything  on a  remote web  server even  if the  directory is
    ".htaccess protected". (eg apache)  The first way to do it:

        http://www.victim.org/cgi-bin/w3-msql/protected-directory/private-file

    note: in  this case,  the intruder  'll have  to already  know the
    structure of the directory.  The second way:

        http://www.victim.org/cgi-bin/w3-msql/protected-directory/.htpasswd

    In  this  way,  intruder  'll  get  all DES encrypted password for
    authorized  users  in  plain  text  and  so  will be able to crack
    any account (eg Crack 5.0 alex muphett).

SOLUTION

    There are security related facilities included in w3-mSQL to avoid
    these problems  and they  are outined  below.   W3-mSQL has always
    supported the concept of a private document tree.  If you set  the
    Force_Private option in the w3-msql section of the config file  to
    True then  w3-msql will  not access  documents directly  from your
    web  tree.   In  that  case  it  uses /usr/local/Hughes/www as the
    document root for anything accessed via w3-msql.  This also allows
    you to hide your w3-msql source code.  Included in the new  2.0.11
    release (shipping from  our web site  and mirrors on  20 Aug 1999)
    is  a  new  configuration  option  called  Force_Suffix.   If set,
    w3-mSQL will only process  files if the filename's  suffix matches
    the suffix specified  in the config  file.  Setting  this to .msql
    for  example  ensures  that  the  rest  of  your  pages  cannot be
    accessed via w3-mSQL.