[6116] in bugtraq
Re: www-sql cgi prog overrides .htaccess restrictions.
daemon@ATHENA.MIT.EDU (Sebastian Andersson)
Wed Feb 11 14:32:47 1998
Date: Tue, 10 Feb 1998 11:57:26 +0100
Reply-To: Sebastian Andersson <sa@HOGIA.NET>
From: Sebastian Andersson <sa@HOGIA.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980210050459Z97121-27491+16@brimstone.netspace.org>
Someone wrote:
> On 09-Feb-98 Mr LEROY christophe wrote:
> >The problem is that www-sql performs nothing to verify if a user can
> >access the intended PATH_TRANSLATED file.
> >
> This is a common characteristic of other "cgi-wrapper" programs as well,
> including w3-msql and php.cgi. The latter addresses this by giving one
> the option to set PATTERN_RESTRICT at compile time (that way it will
> only load files ending in say ".phtml"), or by compiling as an apache
> module. I'm not sure about w3-msql because I haven't been following it
> for quite some time.
> regards, markjr
I use PHP/FI as a cgi program with Apache and Apache's Action
directive. To stop this bug, I added this to php/fi 2.0b12's main.c
file (around line 45):
#if PHPFASTCGI
while(FCGI_Accept() >= 0) {
#endif
+ s = getenv("REDIRECT_STATUS");
+ if(!s) {
+ puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform sa@hogia.net of what you just did.\n");
+ exit(1);
+ }
s = getenv("PATH_TRANSLATED");
This prevents the script from being called directly via an URL since
that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to
the PHP/FI development list, but I never heard anything from them
(probably because they were going to drop the cgi support).
/Sebastian
