[12508] in bugtraq
Re: Security flaw in Cobalt RaQ2 cgiwrap
daemon@ATHENA.MIT.EDU (Chris Adams)
Wed Nov 10 12:33:15 1999
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991109152707.F1530@HiWAAY.net>
Date: Tue, 9 Nov 1999 15:27:07 -0600
Reply-To: Chris Adams <cmadams@HIWAAY.NET>
From: Chris Adams <cmadams@HIWAAY.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38275EA4.FC37494A@umr.edu>
Once upon a time, Nathan Neulinger <nneul@UMR.EDU> said:
> Just wanted to point out - this is specific to the modifications that
> Cobalt has made to cgiwrap for their server's structure. It is not an
> issue with the regular version of cgiwrap.
That is correct. I'm sorry if I wasn't clear about that. It also only
appears to be a problem only on the RaQ2, not the original RaQ.
> I don't completely understand all of their changes, but they have added
> a bunch of code to how cgiwrap detects what user to run stuff as. (And
> got rid of cgiwrapd, one of the more useful debugging tools.)
cgiwrapd is still there, it just isn't directly obvious how to use it.
If you normally call your script as
http://www.site1.com/test.cgi
you can call it as
http://www.site1.com/cgiwrapDir/cgiwrapd/test.cgi
to run it under cgiwrapd. Basically they ScriptAlias "cgiwrapDir" to
the directory where cgiwrap is installed.
Cobalt has an updated package available on their FTP site (I haven't
received anything official about it, but I found it, installed it, and
tested it). It appears to fix all of the bugs I found, and changes the
behavior some. Instead of running scripts in the site's /web directory
as user "nobody" and the site's group, it runs them as the owner of the
script, _if_ that user is a member of the site's admin group. I like
that better than running all site CGIs as "nobody".
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.
