Bugtraq: Re: www-sql cgi prog overrides .htaccess restrictions.

[markjr () SHMOOZE NET (Stunt Pope)]

On 09-Feb-98 Mr LEROY christophe wrote:
> www-sql is a cgi program to access a mysql database via a http server
> and create easyly some pages from a query result.
>
> That program acts as a filter, using PATH_TRANSLATED feature to
> access html files on your server tree, and it translates <! sql ...> tags
> into html viewable text, letting other parts of the html file unchanged.
>
> The problem is that www-sql performs nothing to verify if a user can
> access the intended PATH_TRANSLATED file.
>
> So, suppose your htdocs tree is /home/htdocs/
> you have a subdirectory /home/htdocs/protected/ in which you have
> you have restricted access using .htaccess file.
> In your browser, enter URL http://your.server/protected/something.html:
> you get prompted a username and a password.
> Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html:
> you get the requested file
>
> www-sql is available into Incoming sunsite directory
This is a common characteristic of other "cgi-wrapper" programs as well,
including w3-msql and php.cgi. The latter addresses this by giving one
the option to set PATTERN_RESTRICT at compile time (that way it will
only load files ending in say ".phtml"), or by compiling as an apache
module. I'm not sure about w3-msql because I haven't been following it
for quite some time.

regards, markjr

---
Mark Jeftovic                   aka: mark jeff or vic, stunt pope.
markjr () shmOOze net              http://www.shmOOze.net/~markjr
PWC's BOFH                      http://www.PrivateWorld.com
irc: L-bOMb                     Keep `em Guessing