From jeffb@COBALT.COM Thu Nov 11 17:32:58 1999 From: Jeff Bilicki Resent-From: mea culpa To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: jericho@attrition.org Date: Tue, 9 Nov 1999 15:09:39 -0800 Subject: [Cobalt] Security Advisory - cgiwrap Cobalt Networks -- Security Advisory -- 11.09.1999 Problem: The current version of cgiwrap that runs on RaQ 2 and RaQ 3i, runs under incorrect effective permissions, which could let a malicious site-admin view or modify data in another virtual site on the same unit. Description: Thanks to Chris Adams Chris Adams wrote: >There is a problem (actually several) with the "cgiwrap" program on >Cobalt RaQ2 servers. It is supposed to run CGI programs as the proper >user instead of "nobody" to make CGIs a little more secure. [SNIP] >The bigger problem is that cgiwrap apparently interprets top level >directories of the site /web directory as users. So if you have a CGI >in a directory like /home/sites/site1/web/test/test.cgi and attempt to >go to it at http://www.site1.com/test/test.cgi AND there is a user on >the system named "test", cgiwrap thinks it should run the script as user >"test". It then actually attempts to run a script in /web directory of >the user "test". [SNIP] Cobalt Networks is dedicated to providing secure platforms. Accordingly, we have just completed a fix for this bug that is available in RPM format, which can be found at the following locations: RaQ 3i (x86) RPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-pacifica-3.6.4.C5.i386.rpm SRPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-pacifica-3.6.4.C5.src.rpm RaQ 2 (MIPS) RPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-raq2-3.6.4.C5.mips.rpm SRPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-raq2-3.6.4.C5.src.rpm MD5 sum Package Name -------------------------------------------------------------------------- 701b43ba607edee44c684ac2d428e710 cgiwrap-pacifica-3.6.4.C5.i386.rpm 41b7277afefb199c01a212dc86dab05b cgiwrap-pacifica-3.6.4.C5.src.rpm 0484a11647a3700fa0b9afe431c55d19 cgiwrap-raq2-3.6.4.C5.mips.rpm 5f3b483c352d25b3b11d266811e8b933 cgiwrap-raq2-3.6.4.C5.src.rpm You can verify each rpm using the following command: rpm --checksig [package] To install, use the following command, while logged in as root: rpm -U [package] The package file format (pkg) for this fix is currently in testing, and will be available in the very near future. Jeff Bilicki Software Engineer Cobalt Networks jeffb@cobalt.com