On Tue, 17 Aug 1999, gregory duchemin wrote: > there is a really stupid bug in w3-msql cgi-bin developped > by Hughes Technology: http://www.Hughes.com.au > This bug is a bit old but seams to be always actual in the > last release of this software: mini-sql v 2.0.10.1 This isn't a bug in our opinion, it's just the way embedded web scripting works. There are security related facilities included in w3-mSQL to avoid these problems and they are outined below. > It's very simple to exploit the flaw; An intruder is able to > look at everything on a remote web server even if the > directory is ".htaccess protected". (eg apache) > > the first way to do it: > > http://www.victim.org/cgi-bin/w3-msql/protected-directory/pr > ivate-file > note: in this case, the intruder 'll have to already know th > structure of the directory W3-mSQL has always supported the concept of a private document tree. If you set the Force_Private option in the w3-msql section of the config file to True then w3-msql will not access documents directly from your web tree. In that case it uses /usr/local/Hughes/www as the document root for anything accessed via w3-msql. This also allows you to hide your w3-msql source code. Included in the new 2.0.11 release (shipping from our web site and mirrors on 20 Aug 1999) is a new configuration option called Force_Suffix. If set, w3-mSQL will only process files if the filename's suffix matches the suffix specified in the config file. Setting this to .msql for example ensures that the rest of your pages cannot be accessed via w3-mSQL. I hope this answers your concerns about w3-mSQL. Bambi --- ______ / / / / / David J. Hughes /___/ ___ /__ ___ ___ / ___ ___ /__ Bambiat_private / / / / / / / / /__/ /__ / /__/ / / / Managing Director / / /__/ /__/ / / /__ ___/ / /__ /__ / / o Hughes Technologies __/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:15 PDT