How do I allow /secure/file.ext, but disallow /cgi-bin/process.cgi/secure/file.ext?

How do I allow /secure/file.ext, but disallow /cgi-bin/process.cgi/secure/file.ext?

Post by Vincent Partingto » Mon, 10 Nov 1997 04:00:00



Hi,

I am about to write a CGI program that will process files ending in a certain
extension, say ".ext". Using Apache 1.2, I can add a mime-type for ".ext" and
add an action like
Action application/x-ext /cgi-bin/process.cgi
to make the CGI programm process all files ending in ".ext".

Let's say the directory "/secure" is protected by a password, while the
directory "/cgi-bin" is not. When a request is made for the file
"/secure/file.ext", the CGI program "/cgi-bin/process.cgi" is run with
"/secure/file.ext" as its PATH_INFO. However, a visitor to my site can get the
same output by requesting the URL "/cgi-bin/process.cgi/secure/file.ext", and
thereby bypassing the password protection.

Is there a way around this problem? I've experimented with mod_rewrite but
could not find a solution there. The only "solution" I can think of now, is
security-by-obfuscation, i.e. rename "/cgi-bin/process.cgi" into something
weird and hope people never find out. Obviously, that does not make me feel
good. :-)

I hope someone can help me. Thanks in advance, Vincent.

 
 
 

How do I allow /secure/file.ext, but disallow /cgi-bin/process.cgi/secure/file.ext?

Post by Miquel van Smoorenbu » Mon, 10 Nov 1997 04:00:00




Quote:>Hi,

>I am about to write a CGI program that will process files ending in a certain
>extension, say ".ext". Using Apache 1.2, I can add a mime-type for ".ext" and
>add an action like
>Action application/x-ext /cgi-bin/process.cgi
>to make the CGI programm process all files ending in ".ext".

Hmm...

AddHandler ext-action ext
Action ext-action /cgi-bin/ext-action

should do it.

Mike.
--
   Miquel van      | Cistron Internet Services   --    Alphen aan den Rijn.



 
 
 

How do I allow /secure/file.ext, but disallow /cgi-bin/process.cgi/secure/file.ext?

Post by Vincent Partingto » Wed, 12 Nov 1997 04:00:00





> >Hi,

> >I am about to write a CGI program that will process files ending in a certain
> >extension, say ".ext". Using Apache 1.2, I can add a mime-type for ".ext" and
> >add an action like
> >Action application/x-ext /cgi-bin/process.cgi
> >to make the CGI programm process all files ending in ".ext".

> Hmm...

> AddHandler ext-action ext
> Action ext-action /cgi-bin/ext-action

> should do it.

This takes care of having "/cgi-bin/process.cgi" process every file that ends
in ".ext", but how do I prevent users from directly accessing a URL like
"/cgi-bin/process.cgi/secure/file.ext". If users can do that, they can get
around the ".htaccess" file placed in the "/secure" directory.

Regards, Vincent.

 
 
 

1. /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler

I've been seeing a number of attacks of this sort recently
from various sites in the http logs.  The time correlation
between the logs on various hosts suggests that the attacker
was scanning sequentially upward in IP addresses.  Since all
tcp and udp packets to ports below 1024 except for http,
smtp, and ident are filtered out for most, including the
attacking, sites, I'm not seeing anything else in the logs.

209.61.73.47 - - [04/Jul/1998:07:19:27 -0500] "GET /cgi-bin/phf" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/test-cgi" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -

Is this a signature of some known attackware?  If so, what
other attacks accompany these http probes?

--

2. Networking Guide Postcript Fix

3. cgi-bin/view-source?cgi-bin/view-source

4. Online:Backup 2.0 network protocols?

5. Why does compress produce whatever.ext.Z rather than z/whatever.ext?

6. Buslogic 946C, good?

7. Secure Secure Secure

8. 2.6.20 iptables nat Problem?

9. secure server and cgi-bin

10. what is done internally on server to allow cgi-bin access?

11. secure way to allow cgi

12. Allowing both cgi-bin and .cgi?

13. setcontext/getcontext/makecontext for linux