Bug 23255 - /var/www/cgi-bin/htsearch remotely accessible
/var/www/cgi-bin/htsearch remotely accessible
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: htdig (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
David Lawrence
Florence Beta-3
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-03 17:27 EST by Chris Evans
Modified: 2007-04-18 12:30 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-11 16:12:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evans 2001-01-03 17:27:09 EST
NOTE: Assigned to apache component; no htdig component.

A new potentially nasty risk has surfaced.
It is a new remotely accessible cgi binary.

It is called "htsearch" and it is a 350kb binary.

This risk is present with a full install and with apache running.

Note that the other two cgi binaries in a full install are not
executable.

Can we please make this new cgi binary inaccessible by
default, like we did with "nut-cgi"!
Comment 1 Gerald Teschl 2001-01-04 06:52:24 EST
Maybe split the htdig package. Most people will only install it since it is a
requirement for
KDE. So putting the cgi file into a separate package would resolve this problem.
Comment 2 Bernhard Rosenkraenzer 2001-01-10 15:01:30 EST
I've split the htdig package - the problem remains on a typical newbie's
"Everything" install, though.

Alternatives (I don't really like any of them):
- chmod 0644 the CGI. Gets rid of the possible security leak, but makes it
harder to use the
   functionality if it's wanted
- Change the default httpd.conf not to start any CGIs (same problems as with #1,
though)

Better suggestions?
Comment 3 Glen Foster 2001-01-11 16:12:06 EST
This defect is considered MUST-FIX for Florence Gold release
Comment 4 Phil Knirsch 2001-01-16 11:07:11 EST
After discussing it with Bero i think we should stick with the current solution.

The thing is that after even a 'Everything' installation apache is not turned on
(like hardly any other daemon), leaving the system in a secure state.

If someone now activates apache he/she has to be aware that after a 'Everything'
installation quite a few packages get installed and some most likely related to
apache, so it's now in the responsibility of the user to make sure he/she only
has the packages installed he/she really wants.

And with a normal installation the htdig-web won't be installed and therefore
even apache will be after activation remain as secure as it always was ;).

And installing the htdig-web package and having the htsearch not being
executable is extremely pointless. It's like installing netscape without
execution permission and then expecting the user to active this insecure web
broweser.

I'd call it fixed this way. Other suggestions are as always welcome...

Read ya, Phil

Note You need to log in before you can comment on or make changes to this bug.