[11439] in bugtraq
Re: Stupid bug in W3-msql
daemon@ATHENA.MIT.EDU (David J. Hughes)
Thu Aug 19 23:11:34 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9908192350211.1504-100000@fawn.hughes.com.au>
Date: Fri, 20 Aug 1999 00:36:45 +1000
Reply-To: "David J. Hughes" <bambi@HUGHES.COM.AU>
From: "David J. Hughes" <bambi@HUGHES.COM.AU>
X-To: gregory duchemin <veille@NEUROCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990817171348.8576.qmail@securityfocus.com>
On Tue, 17 Aug 1999, gregory duchemin wrote:
> there is a really stupid bug in w3-msql cgi-bin developped
> by Hughes Technology: http://www.Hughes.com.au
> This bug is a bit old but seams to be always actual in the
> last release of this software: mini-sql v 2.0.10.1
This isn't a bug in our opinion, it's just the way embedded web scripting
works. There are security related facilities included in w3-mSQL to avoid
these problems and they are outined below.
> It's very simple to exploit the flaw; An intruder is able to
> look at everything on a remote web server even if the
> directory is ".htaccess protected". (eg apache)
>
> the first way to do it:
>
> http://www.victim.org/cgi-bin/w3-msql/protected-directory/pr
> ivate-file
> note: in this case, the intruder 'll have to already know th
> structure of the directory
W3-mSQL has always supported the concept of a private document tree. If
you set the Force_Private option in the w3-msql section of the config file
to True then w3-msql will not access documents directly from your web
tree. In that case it uses /usr/local/Hughes/www as the document root for
anything accessed via w3-msql. This also allows you to hide your w3-msql
source code.
Included in the new 2.0.11 release (shipping from our web site and mirrors
on 20 Aug 1999) is a new configuration option called Force_Suffix. If
set, w3-mSQL will only process files if the filename's suffix matches the
suffix specified in the config file. Setting this to .msql for example
ensures that the rest of your pages cannot be accessed via w3-mSQL.
I hope this answers your concerns about w3-mSQL.
Bambi
---
______
/ / / / / David J. Hughes
/___/ ___ /__ ___ ___ / ___ ___ /__ Bambi@Hughes.com.au
/ / / / / / / / /__/ /__ / /__/ / / / Managing Director
/ / /__/ /__/ / / /__ ___/ / /__ /__ / / o Hughes Technologies
__/
