[prev in list] [next in list] [prev in thread] [next in thread]
List: best-of-security
Subject: BoS: ncsa .htaccess
From: Julian Assange <proff () suburbia ! net>
Date: 1995-10-12 16:22:12
[Download RAW message or body]
Source: comp.security.unix
Subject: .htaccess
.. while I was working on some web user registration and authentication
software I discovered a problem when submitting forms to a cgi-script
which is inside a .htaccess protected directory. It is only a configuration
problem, but if a server is set up following `blindly' the information given
in http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html it might create a
security hole.
In this posting I'm using the term `protected' to describe HTML documents
and CGI-scripts which are only to be accessed by registered users. That is,
only users who have successfully logged in should be able to access these
documents or CGI-scripts.
Problem description:
I used an unprotected form to let users submit input data to a protected
CGI-script in order to let them change their passwords. If I used METHOD="GET"
for the form ACTION to access the CGI-script, everything worked fine. That
is, users are asked to `login' first before the CGI-script is executed.
BUT: Using METHOD="POST" inside the unprotected form enabled users to BYPASS
THE PASSWORD PROTECTION and let EVERYBODY EXECUTE the CGI-script.
This problem was caused by using the standard access.conf file (as in the
httpd-1.4.2 source distribution which uses `AllowOverride All' to give
full control to the .htaccess files) and the following .htaccess file:
===============================================================================
AuthUserFile /.../.htpasswd
AuthGroupFile /.../.htgroup
AuthName Example
AuthType Basic
<Limit GET>
require group users
</Limit>
===============================================================================
As you can see the reason is obvious: above .htaccess file requires
authorization only for the HTTP method GET and not for the POST. But
because I was using GET in my first test forms, I thought everything
was ok. If the POST method is used by the form to access the CGI-script, the
environment variable `AUTH_TYPE=Basic' still is present (which at first gave
me the impression, that some authentication took place), but REMOTE_GROUP'
and `REMOTE_USER' were available only when using GET.
The reason for this is, that inside the `check_dir_access' function of the
server source file http_access.c the value of sec[x].num_auth[m] equals 0
(if m (the variable for the used method) equals M_POST and the above .htaccess
file was used). This leads to giving the variable `need_auth' in the function
`evaluate_access' a value of -1 which leads to the skipping of the call to
check_auth (defined in http_auth.c). To this time, however, the AUTH_TYPE has
already be determined and appears as environment variable in the CGI-script.
The simple solution: (of course :-)
replace <Limit GET> by <Limit GET POST> in .htaccess
I discovered the problem when I replaced my CGI-script with the
`change-passwd' programm supplied with the NCSA httpd and tried to
figure out why it dumped core. At the end of this posting is a little
patch for `change-passwd.c' to warn about a security misconfiguration
instead of dumping core (which cannot be seen on web clients).
MY SUGGESTION:
If you have not done so, immediately add POST to all the <Limit> directives
which are used to protect CGI-scripts (in all your .htaccess files and
probably in the global `access.conf' file).
To the httpd guys of NCSA: maybe it could be good to add a note about this to
http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html and maybe a comment in
the `conf/access.conf' file of the httpd distribution or even better, use
<Limit GET POST> in all relevant examples instead of only <Limit GET>.
(By the way, I like your documentation about httpd. Good job, so far ;-)
Ok, here comes the promised patch for `change-passwd.c':
*** change-passwd.c.org Fri Jun 23 09:29:31 1995
--- change-passwd.c Thu Oct 5 19:57:29 1995
***************
*** 114,119 ****
--- 114,127 ----
free(t2);
}
u=getenv("REMOTE_USER");
+ if ( u == NULL) {
+ printf("User authentication seems not to be set up properly on\n");
+ printf("this server.\n<P>\nThis script should be only accessible\n");
+ printf("after user login. Please tell the server administrator\n");
+ printf("to verify if <Limit GET POST> was used to protect this\n");
+ printf("program.");
+ exit(1);
+ }
if((strcmp(u,WIZARD)) && (strcmp(user,u))) {
printf("<TITLE>User Mismatch</TITLE>");
printf("<H1>User Mismatch</H1>");
P.S.: Telescript (General Magic's mobile agent programming language) is cool!
Finally General Magic is about to start an `Open Telescript'
initiative soon. A "Telescript Development Environment" will be
distributed. More details on GM's developer's conference (Oct 29-31).
--
_____________________________________________________________________
/ ______ / )
/ / _____) Peter Doemel doemel@informatik.uni-frankfurt.de / /
/ / / / ) PersonaLink: Peter_Doemel@attpls.net / /
/ /_/____/ / / /
/ / / / 640 W Remington Drive Office: ++1-408-774-4401 / /
/ / / / Sunnyvale, CA 94087 Home: ++1-408-720-8245 / /
/ /______/ USA Fax: ++1-408-774-4030 / /
/___________________________________________________________________/ /
(_______________peter_doemel@genmagic.com___________________________(_/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic