Mailing List Archive
Back to the month index |
Back to the list index
|
|
Back to the month index |
Back to the list index
|
Jason Armstrong (jason@datrix.co.za)
Sun, 23 Nov 1997 01:09:39 +0200 (SAT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Daniel A. Christenson: "Re: New User"
- Previous message: Sergey V. Udaltsov: "How to do this in mSQL"
Date: Sun, 23 Nov 1997 01:09:39 +0200 (SAT) From: Jason Armstrong <jason@datrix.co.za> Subject: Re: w3-msql delivering other CGI's contents [was: Re: [mSQL] w3-msql and system()] Message-ID: <Pine.LNX.3.95.971123010520.15108A-100000@shark.datrix.co.za>I am making all scripts into lite libraries, so that no source code is
easily visible.
On Fri, 21 Nov 1997, Stefan Kramer wrote:
>
> On Fri, 21 Mar 1997, Kell Sønnichsen wrote:
>
> > ....
> > 2) w3-msql is - in my opinion - a security risk in itself; at least
> > the version for mSQL 1.0 was. Consider this URL:
> > http://your.domain.com/cgi-bin/w3-msql/path_to_a_protected_area/file.cgi
> > As w3-msql does not look for e.g. .htaccess files in the path it has
> > access to username/password protected files in the HTTP directory.
> > As w3-msql does not look at the file extension but just passes through
> > anything not enclosed in the special w3-msql tags, it will deliver the
> > CGI-script _code_ to the browser!
> > All of this is true for the version for mSQL 1.0; I don't know about
> > the mSQL 2.0 version...
> > ....
>
> Apparently, it is still true for w3-msql in the 2.0 version. A site
> visitor who knows the path of the w3-msql CGI can use it to display the
> contents of other files on that Web server not intended for public viewing,
> including CGI scripts.
>
> As Michael Zucchi (on 21 Feb.), Mark E. Jezioro (on 27 May) and perhaps
> others have described on this list, the problem may be "bypassed," at least
> with Apache, by configuring the WWW server to run all files with a given
> extension (e.g., ".dbsql"), which would presumably contain w3-msql markup,
> through the w3-msql in a now concealable location (perhaps something less
> easily guessable than /cgi-bin/w3-msql ;-), and by never showing the
> w3-msql CGI's location in publicly visible pages; but one might argue that
> that's still only security by obscurity.
>
> ------------------------------------------------------------
> Stefan Kramer skramer@cac.washington.edu
> University of Washington Computing & Communications
> Mailstop 354841 Seattle, WA 98105-4527 USA
> ------------------------------------------------------------
Jason Armstrong
jason@datrix.co.za
- Next message: Daniel A. Christenson: "Re: New User"
- Previous message: Sergey V. Udaltsov: "How to do this in mSQL"