Title: Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
Severity: HIGH
Description:
From BugTraq post:
There is a security problem with FrontPage extensions on the Cobalt RaQ2
and RaQ3 web hosting appliances. It allows any user on the system to
change, delete, or overwrite a FrontPage site.
When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned
by user "httpd" instead of a site-specific user. The Apache web server
is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run
as the user that owns the CGI instead of "httpd", but it is trivial to
bypass cgiwrap and run scripts as user "httpd".
You can bypass cgiwrap because the Apache config files have the line
"AllowOverride All". All you have to do is create an .htaccess file
with these lines in it:
Options +ExecCGI
AddHandler cgi-script .cgi
Then CGIs in that directory will be run with the web server's access as
user "httpd".
As far as I can tell, the only "safe" things in an AllowOverride line in
the Apache config are AuthConfig, Indexes, and Limit (these allow users
some control over their pages without bypassing system security settings
in the server config).
This same AllowOverride setting pretty much nullifies the "Enable CGI
Scripts" and "Enable Server Side Includes" options on the site
administration config for a web site, since CGI and SSI can be enabled
through a .htaccess file even if the administrator disables them.
Affected Products:
- Cobalt RaQ 2.0.0
- Cobalt RaQ 3.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
