Message-Id: <199704281816.OAA02238@u4-138.openmarket.com> To: email@example.com (Shadrach Todd) Subject: Re: Re: BUG: fastcgi ssi output is not parsed for nested ssi's In-Reply-To: Your message of "Fri, 25 Apr 1997 16:05:31 EDT." <199704252005.QAA28342@binge.dev.pathfinder.com.pathfinder.com> Date: Mon, 28 Apr 1997 14:16:46 -0400 From: Stanley Gambarin <gambarin@OpenMarket.com> The following is the description of a potential security hole that may occur if the parsing of the output of the CGIs is done for embedded SSIs. Note that the following description contains a lot of IFs and is also highly dependent on the server configuration. It is only used to represent one potential security problem, but there maybe more involved ones. As for my personal opinion on the subject, this functionality should be an optional one, since it provides more powerful features at the cost of the potential security problems. Configuration is as follows: (server dependent, of course) - a server is configured to allow the execution of the CGI scripts by system users (i.e. a user can write their own CGI script) - server is running as process id of root - server performs minimalistic, if any, uid/gid checks (this is implementation dependent) Hole: - a user on the system would like to access the information in some file, say /etc/passwd, that he/she can not access due to the lack of permissions. Executing a simple CGI which cats /etc/passwd is not possible, as web server makes sure that CGI are executed as uid of the user. - a user writes a CGI program which outputs the following Content-type: text/x-server-parsed-html <!--#include file="/etc/passwd"--> - a user accesses the program from the netscape. Now, if the server parses output of the CGIs, it will issue a subrequest to process the new information. Pending the implementation, it will either include the contents of the /etc/passwd (as web server is running as a root) or disallow the request. The problem with the above is to decide when should the subrequest be allowed to proceed and when should it be denied (maybe all requests to the same machine are denied, but remote requests (like redirection) is allowed). As I stated before, there are a lot of IFs and the actual problems are highly dependent on server implementation, but the above is a possible example of the security hole. Hope that was of some help. Stanley.