[cobalt-users] URGENT: Security hole in CgiWrap ?

["manitu" <manitu@xxxxxxxxxx>]

Hello all,

I have found out something very strange I cannot explain. I have written a
simple c program and did run it under three different environments:
1. from telnet
2. via the web using cgiwrap
3. via the web NOT using cgiwrap

The program looks like this, I think also perl programmers will understand
it (I did only cut off the include-directives):

    int main(int argc, char * argv[])
    {
     struct passwd* p;
     printf("Content-type: text/html\n\n");
     printf("GETLOGIN: %s\n", getlogin());
     printf("CUSERID: %s\n", cuserid(0));
     p = getpwuid(getuid());
     if (p) printf("GETUID: %s\n", p->pw_name);
     p = getpwuid(geteuid());
     if (p) printf("GETEUID: %s\n", p->pw_name);
     return 0;
    };

When running it from telnet, it prints

    Content-type: text/html

    GETLOGIN: manitu
    CUSERID: manitu
    GETUID: manitu
    GETEUID: manitu

Fine. Allright. That's was the program is supposed to do.

When running from the web using cgi-wrap, it prints

    GETLOGIN: (null)
    CUSERID: manitu
    GETUID: manitu
    GETEUID: manitu

and that should NOT happen. The program does not use any setuid-features,
but however, it gets the effective user id (geteuid) of me.

When using the cgi WITHOUT cgi-wrap, it prints

    GETLOGIN: (null)
    CUSERID: httpd
    GETUID: httpd
    GETEUID: httpd

which is right in my opinion. This is also what it should do with cgi-wrap.


If anybody has more information about this behaviour, please let us know,
since some of us would like to write safer cgi (and pl) programs.


Thanks
Manuel