Mini SQL Mailing List Archive

Mailing List Archive

Back to the month index

Back to the list index

Kell Soennichsen (kell.sonnichsen@uni-c.dk)
Wed, 4 Sep 1996 14:41:48 +0200 (MET DST)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Anderson, Hans: "Re: [mSQL] w3-msql"
Previous message: Siegfried Stepke: "[mSQL] INSERT ignored"
Date: Wed, 4 Sep 1996 14:41:48 +0200 (MET DST)
Message-Id: <199609041241.OAA23954@mediator.uni-c.dk>
From: kell.sonnichsen@uni-c.dk (Kell Soennichsen)
Subject: [mSQL] w3-msql : a security risc?
I have used w3-msql to make a quick www-access to a mSQL database
(well most people using w3-msql are doing that, I suppose :-).
Playing with it I found two problems with the w3-msql wrapping:

1) There is no check of whether the input file is a HTML file,
e.g. by checking the extension. This means that I can open the
following location:
http://machine.domain.com/cgi-bin/w3-msql/some-path/script.cgi
and get the CGI script code (_not_ the output of running the
CGI script).

2) There is no user/password checking when reading a file with
w3-msql. This means that if w3-msql is installed on a server,
then I can bypass the user/password protection (ok it's not much,
but it is there) in the server by opening the following location:
http://machine.domain.com/cgi-bin/w3-msql/some-protected-path/file.html

Exploiting these two problems I can get any file accessible from
the HTTP server regardless of user/password protection and any
CGI script code (as long as the CGI script isn't a compiled pogram).

The first problem could easily be solved by letting w3-msql only
accept .html or .htm files, but what about the second problem?
It depends on the protection method of the server, e.g. .htaccess
files. Any ideas?

BTW, I have started using PHP/FI instead - as a module in the
server, so there should be no problems there...:-)

Regards,
Kell
--
>>  Kell Soennichsen, UNI-C, Olof Palmes Alle 38, DK-8200 Aarhus N.  <<
>>  phone: +45 8937 6666 / +45 8937 6674, fax: +45 8937 6677         <<
>>  email: kell.sonnichsen@uni-c.dk, http://www.uni-c.dk             <<
>>     The two most common elements in the universe are hydrogen     <<
>>     -- and stupidity.                       -- Harlan Ellison     <<
--------------------------------------------------------------------------
To remove yourself from the Mini SQL mailing list send a message containing
"unsubscribe" to "unsubscribe" to msql-list-request@bunyip.com.  Send a message containing
"info msql-list" to majordomo@bunyip.com for info on monthly archives of
the list. For more help, mail owner-msql-list@bunyip.com NOT the msql-list!
Next message: Anderson, Hans: "Re: [mSQL] w3-msql"
Previous message: Siegfried Stepke: "[mSQL] INSERT ignored"