On 09-Feb-98 Mr LEROY christophe wrote: >www-sql is a cgi program to access a mysql database via a http server >and create easyly some pages from a query result. > >That program acts as a filter, using PATH_TRANSLATED feature to >access html files on your server tree, and it translates <! sql ...> tags >into html viewable text, letting other parts of the html file unchanged. > >The problem is that www-sql performs nothing to verify if a user can >access the intended PATH_TRANSLATED file. > >So, suppose your htdocs tree is /home/htdocs/ >you have a subdirectory /home/htdocs/protected/ in which you have >you have restricted access using .htaccess file. >In your browser, enter URL http://your.server/protected/something.html: >you get prompted a username and a password. >Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html: >you get the requested file > >www-sql is available into Incoming sunsite directory This is a common characteristic of other "cgi-wrapper" programs as well, including w3-msql and php.cgi. The latter addresses this by giving one the option to set PATTERN_RESTRICT at compile time (that way it will only load files ending in say ".phtml"), or by compiling as an apache module. I'm not sure about w3-msql because I haven't been following it for quite some time. regards, markjr --- Mark Jeftovic aka: mark jeff or vic, stunt pope. markjrat_private http://www.shmOOze.net/~markjr PWC's BOFH http://www.PrivateWorld.com irc: L-bOMb Keep `em Guessing
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:11 PDT