RE: [cgiwrap-users] OpenSRS 2.41 + CGIWrap

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

CGIwrap, and any wrapper for that matter, is basically following the
following logic at it's core:

A. Am I running as the web server userid?
B. If so, figure out who to run desired script as, and switch to their
userid and run it.

The presumption is that no one should have access to the server userid.

Since you're letting someone run as the server id, it could pass ANY data to
cgiwrap, bypassing any authorization checks, and also contaminating the
environment, path, etc. 

If a script is written 100% securely, then this might not be too bad, but
let's just say it's safe to say that it's not a good idea. It's not insecure
by itself, it's just opens up lots of other potential holes. 

-- Nathan

> -----Original Message-----
> From: Ralph Huntington [mailto:rj...@mo...]
> Sent: Wednesday, August 08, 2001 8:44 AM
> To: Neulinger, Nathan
> Cc: Adrian Parker; cgi...@li...
> Subject: RE: [cgiwrap-users] OpenSRS 2.41 + CGIWrap
> 
> 
> Well, frankly, no, I didn't realize that. Could you explain 
> to us, please,
> how that condition obtains?
> 
> i.e., How is running a script as the server uid when cgiwrap 
> is present
> different than running a script as the server uid when cgiwrap is not
> present?
> 
> And, does it make any difference if the cgiwrap dir is 
> outside the html
> tree?
> 
> Thank you, Ralph
> 
> On Wed, 8 Aug 2001, Neulinger, Nathan wrote:
> 
> > Y'all do realize of course that if you are allowing people 
> to run scripts as
> > the server userid, you are opening up an ENORMOUS GAPING 
> SECURITY HOLE on
> > your server if you are also using cgiwrap or suexec.
> >
> > -- Nathan
> >
> > > -----Original Message-----
> > > From: Ralph Huntington [mailto:rj...@mo...]
> > > Sent: Tuesday, August 07, 2001 3:45 PM
> > > To: Adrian Parker
> > > Cc: cgi...@li...
> > > Subject: Re: [cgiwrap-users] OpenSRS 2.41 + CGIWrap
> > >
> > >
> > > > How do we turn CGIWrap off by directories?  I though in
> > > httpd.conf we
> > > > might be able to remove "AddHandler cgi-wrapper .pl" 
> and "AddHandler
> > > > cgi-wrapper .cgi" from <VirtualHost *>, but that doesn't seem to
> > > > change anything.
> > >
> > > We solve this for the occasional scripts that give 
> problems (AutoCart
> > > comes to mind). We do not use the AddHandler, but rather 
> configure two
> > > ScriptAlias'd dirs for each domain. The user can choose where
> > > to put the
> > > script to have it wrapped or not.
> > >
> > > The wrapped dir is named 'cgiwrap' and is in the home dir.
> > > The unwrapped
> > > (cgi-bin) dir is in htdocs.
> > >
> > > Hope this is useful to you or someone.		- Ralph
> > >
> > >
> > > _______________________________________________
> > > cgiwrap-users mailing list
> > > cgi...@li...
> > > http://lists.sourceforge.net/lists/listinfo/cgiwrap-users
> > >
> >
> > _______________________________________________
> > cgiwrap-users mailing list
> > cgi...@li...
> > http://lists.sourceforge.net/lists/listinfo/cgiwrap-users
> >
> 