[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] URGENT: Security hole in CgiWrap ?

Subject: RE: [cobalt-users] URGENT: Security hole in CgiWrap ?
From: "Neil J. Kemp" <neil@xxxxxxxxxx>
Date: Tue Mar 7 13:08:26 2000

I can't be sure of this (I'm sure someone will correct if I'm wrong) but
cgi-wrapper forces the CGI to be run with the permissions of the file in
question (in this case it's owned by 'manitu' correct?) and without
cgi-wrapper it runs as the same user as the entire webserver itself - httpd.

I'm pretty sure that's why you're getting the answers you're getting and I'm
also pretty sure it's supposed to do that.

--Neil


-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of manitu
Sent: 07 March 2000 20:34
To: Cobalt Mailinglist
Subject: [cobalt-users] URGENT: Security hole in CgiWrap ?


Hello all,

I have found out something very strange I cannot explain. I have written a
simple c program and did run it under three different environments:
1. from telnet
2. via the web using cgiwrap
3. via the web NOT using cgiwrap

The program looks like this, I think also perl programmers will understand
it (I did only cut off the include-directives):

    int main(int argc, char * argv[])
    {
     struct passwd* p;
     printf("Content-type: text/html\n\n");
     printf("GETLOGIN: %s\n", getlogin());
     printf("CUSERID: %s\n", cuserid(0));
     p = getpwuid(getuid());
     if (p) printf("GETUID: %s\n", p->pw_name);
     p = getpwuid(geteuid());
     if (p) printf("GETEUID: %s\n", p->pw_name);
     return 0;
    };

When running it from telnet, it prints

    Content-type: text/html

    GETLOGIN: manitu
    CUSERID: manitu
    GETUID: manitu
    GETEUID: manitu

Fine. Allright. That's was the program is supposed to do.

When running from the web using cgi-wrap, it prints

    GETLOGIN: (null)
    CUSERID: manitu
    GETUID: manitu
    GETEUID: manitu

and that should NOT happen. The program does not use any setuid-features,
but however, it gets the effective user id (geteuid) of me.

When using the cgi WITHOUT cgi-wrap, it prints

    GETLOGIN: (null)
    CUSERID: httpd
    GETUID: httpd
    GETEUID: httpd

which is right in my opinion. This is also what it should do with cgi-wrap.


If anybody has more information about this behaviour, please let us know,
since some of us would like to write safer cgi (and pl) programs.


Thanks
Manuel


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- Re: [cobalt-users] URGENT: Security hole in CgiWrap ?
  - From: manitu

References:
- [cobalt-users] URGENT: Security hole in CgiWrap ?
  - From: manitu

Prev by Date: [cobalt-users] Cobalt Qube2 User Interface for SMTP Server
Next by Date: [cobalt-users] RAQ3: 2nd internal harddisk. Possible or not (IDE/SCSI)?
Previous by thread: [cobalt-users] URGENT: Security hole in CgiWrap ?
Next by thread: Re: [cobalt-users] URGENT: Security hole in CgiWrap ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index