Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability

From BugTraq post:

There is a security problem with FrontPage extensions on the Cobalt RaQ2
and RaQ3 web hosting appliances. It allows any user on the system to
change, delete, or overwrite a FrontPage site.

When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned
by user "httpd" instead of a site-specific user. The Apache web server
is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run
as the user that owns the CGI instead of "httpd", but it is trivial to
bypass cgiwrap and run scripts as user "httpd".

You can bypass cgiwrap because the Apache config files have the line
"AllowOverride All". All you have to do is create an .htaccess file
with these lines in it:

Options +ExecCGI
AddHandler cgi-script .cgi

Then CGIs in that directory will be run with the web server's access as
user "httpd".

As far as I can tell, the only "safe" things in an AllowOverride line in
the Apache config are AuthConfig, Indexes, and Limit (these allow users
some control over their pages without bypassing system security settings
in the server config).

This same AllowOverride setting pretty much nullifies the "Enable CGI
Scripts" and "Enable Server Side Includes" options on the site
administration config for a web site, since CGI and SSI can be enabled
through a .htaccess file even if the administrator disables them.


Privacy Statement
Copyright 2010, SecurityFocus