In message <Pine.GSO.3.95.iB1.0.980923230803.5268A-100000@halifax>, "Michael T. Smith" writes: >On Mon, 21 Sep 1998, Chuck Byam wrote: >> The following note was sent to the Xitami mailing list Monday, September 21, >> 1998. >>[Security alert that Xitami has feature that allows cgi-bin >>directories under webpages area, and that if ftp into webpages area >>is enabled anyone with ftp access can upload their own cgi-bin programs] > >The thing is, this was always in the docs (it was considered a feature; I >_think_ there was a way to turn it off but no one remembers how now ;). I >guess people didn't catch this in the docs so iMatix did the right thing >and posted the alert. Xitami doesn't support the *.cgi convention for CGI programs that some webservers (optionally) support. As an alternative Xitami has a feature where any directory named "cgi-bin" (or the user-configured name) could be considered a cgi-bin directory, and cgi programs executed out of it. This was documented, as a feature, and several people using Xitami make use of it to subdivide their cgi-bin directories (by project, etc), keeping the cgi programs near the relevant html files. Xitami also has a built in ftp server. By default this ftp server is pointed at a different area from the default webpages area (configured for an anonymous ftp file download area). However, some people configured it so that ftp access into their webpages area was allowed (with suitable username/passwords), to let their clients (etc) upload new webpages. With this configuration it was possible for a user to connect with ftp, and providing they had the right access rights (which also needed to be configured), they could create a new "cgi-bin" directory and then put a program into it. Then they could run it by accessing it as: http://servername/path/to/their/cgi-bin/program Obviously this poses a security risk if you can't completely trust the users who have access to the webpages area (ftp access can be restricted by both passwords, and also IP address ranges). It is a particular concern under operating systems which don't provide non-privileged users (eg, Windows 95); and a considerable number of users of Xitami use it in such an environment. So iMatix issued a security alert. The default configuration is safe. But an inadvertant combination of features can lead to a security risk. In all recent released versions of Xitami up to and incuding Xitami 2.3d1 (the currently released version) the "any cgi-bin directory" feature is enabled, and there isn't a configuration option to switch it off. The next release (an alpha release is planned in the next few weeks) will have that feature turned off, and an option to turn it on for people using Xitami in an environment where security is less of a concern (eg, a personal PC, or a small Intranet). Until then iMatix advises people to take care when allowing users ftp access into the webpages area. Xitami is an Open Source program, and the source can be found on the iMatix website (http://www.imatix.com/). Anyone wishing to disable the "any cgi-bin directory" feature prior to the next release can patch the source (in smthttpl.c, http_get_url_type()) that detects cgi-bin URLs by changing the existing strstr() match on the URL to something like strncmp() (ie, match only at the start). Ewen -- Ewen McNeill, Technical Consultant, iMatix Corporation
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:47 PDT