Richard Megginson discovered that Admin Server as used by Red Hat Directory Server 8 and Fedora Directory Server does not properly restrict access to CGI scripts. This could allow unauthenticated user to get access to information or perform tasks that should be restricted to authenticated administrative users.
Created attachment 302493 [details] cvs commit log Resolves: bugs 437301 and 437320 Description: Directory Server: shell command injection in CGI replication monitor Directory Server: unrestricted access to CGI scripts Fix Description: remove ScriptAlias for bin/admin/admin/bin - do not use that directory for CGI URIs - use only protected URIs for CGIs requiring authentication Remove most CGI parameters from repl-monitor-cgi.pl - user must supply replmon.conf in the admin server config directory instead of passing in this pathname - repl-monitor-cgi.pl does not use system to call repl-monitor.pl, it "includes" that script (using perl import). Platforms tested: all supported platforms Flag Day: no Doc impact: release notes are available
Lifting embargo.
fedora-ds-admin-1.1.4-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
fedora-ds-admin-1.1.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Checking in adminserver/admserv/cfgstuff/admserv.conf.in; /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v <-- admserv.conf.in new revision: 1.11; previous revision: 1.10 done Checking in adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in; /cvs/dirsec/adminserver/admserv/cgi-src40/repl-monitor-cgi.pl.in,v <-- repl-monitor-cgi.pl.in new revision: 1.2; previous revision: 1.1 done
This issue has been addressed in following products: Red Hat Directory Server v8 EL4 Red Hat Directory Server v8 EL5 Via RHSA-2008:0201 available at https://rhn.redhat.com/errata/RHSA-2008-0201.html