Re: [cobalt-users] CGI-Wrqp Hole? (was CGI-Bin on RAQ2)

[Mike Vanecek <nospam99@xxxxxxxxxxxx>]

On Fri, 23 Nov 2001 12:57:31 -0500, "Dan Kriwitsky"
<webhosting@xxxxxxxxx> wrote:

:>> :>
:>> :>AuthPAM_Enabled off
:>>
:>> Thanks for the response.
:>>
:>> If that line is in the .htaccess file in the protected directory I
:>> receive a internal server error when the browser tries to open the page.
:>> I initially had it in the script, but removed it to avoid receiving the
:>> internal error.
:>>
:>> Does something else need to be turned on for this to work?
:>>
:>
:>My guess would be the files are owned by "admin" and not the siteadmin user.
:>That could be the problem.

Well, I had thought of that too. However, my permissions are"

[root@vanecek info]# d
total 109
drwxr-xr-x   3 httpd    home         1024 Nov 25 19:57 ./
drwxr-xr-x   5 httpd    home         1024 Nov 25 12:02 ../
-rw-r--r--   1 httpd    home          221 Oct  1 12:58 .htaccess
-rw-r--r--   1 httpd    home          241 Oct  1 12:56 .htaccess~
-rw-r--r--   1 httpd    home          727 Nov 25 11:03 .htpasswd
-rw-r--r--   1 httpd    home        98128 Nov 19 11:33 own.html
-rw-r--r--   1 httpd    home          279 Oct  1 11:08 index.html
-rw-r--r--   1 httpd    home           13 Oct  2 07:46 password.txt
-rw-r--r--   1 httpd    home         2977 Nov 25 11:04 robo.html
-rwxr-x--x   1 httpd    home          783 Nov 25 19:57 who.pl*

The html files authenticate correctly, i.e.,

http://<domain>/robo/info/robo.html authenticates correctly.

http://<domain>/robo/info/who.pl authenticates correctly.

http://<domain>/cgiwrapDir/cgiwrap/robo/info/who.pl executes the script
without any authentication (yes, I have closed the browser, cleared the
cache, etc.). 

The work around is not to use cgiwrap. But I hate the thought of this
big hole for supposedly password protected directories.

Thank you very much for the suggestions and your time. At least they
tell me I been looking for the same things. 

Mike.