[15024] in bugtraq
Re: Problem with FrontPage on Cobalt RaQ2/RaQ3
daemon@ATHENA.MIT.EDU (Chris Adams)
Wed May 24 16:41:35 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000523145907.F11049@HiWAAY.net>
Date: Tue, 23 May 2000 14:59:07 -0500
Reply-To: Chris Adams <cmadams@HIWAAY.NET>
From: Chris Adams <cmadams@HIWAAY.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10005231350440.23217-100000@stanis.onastick.net>;
from sitz@onastick.net on Tue, May 23, 2000 at 01:54:44PM -0400
Once upon a time, Noah <sitz@onastick.net> said:
> On Tue, 23 May 2000, Chris Adams wrote:
> > You can bypass cgiwrap because the Apache config files have the line
> > "AllowOverride All". All you have to do is create an .htaccess file
> > with these lines in it:
> >
> > Options +ExecCGI
> > AddHandler cgi-script .cgi
>
> Ah, but you see, here's the kicker. Unless the FPE for Unix have changed
> drastically since last I frobbed with them, they *require* "AllowOverride
> All" in order to work correctly.
The only thing that "AllowOverride All" is _really_ needed for with FP
is "Options None", which really isn't needed when you have "deny from
all" in there as well (at least AFAIK).
> Which is not to say there may not be another fix for this particular
> issue. You can use "order deny,allow" and "{deny,allow} from" directives
> to limit access from trusted IPs, for starters. Which doesn't eliminate
> the issue, but certainly contains it somewhat. This makes the assumption
> that such a fix will function correctly in your environment, of course.
Limiting access to certain IPs would not be a solution for web hosting
(these are public sites after all).
The fix that Cobalt said they were working on would change the user that
owns all FP sites from "httpd" to "nobody", so getting around the
cgi-wrapper would not give you access to the FP sites (they would still
only run as "httpd").
It should be possible to fix the FP extensions to work in a more
"normal" environment (without AllowOverride All), but it would take
someone with source access (which Cobalt might have - they don't use a
"standard" FP setup AFAIK). This would make the server a little more
secure and stable. The RaQ3 includes mod_perl, and with AllowOverride
All, any user can do mod_perl stuff as well.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.
