Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
BID:1238
Info
Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
| Bugtraq ID: | 1238 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 23 2000 12:00AM |
| Updated: | May 23 2000 12:00AM |
| Credit: | Posted to BugTraq on May 23, 2000 by Chris Adams <[email protected]> |
| Vulnerable: |
Cobalt RaQ 3.0 Cobalt RaQ 2.0 |
| Not Vulnerable: | |
Discussion
Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
From BugTraq post:
There is a security problem with FrontPage extensions on the Cobalt RaQ2
and RaQ3 web hosting appliances. It allows any user on the system to
change, delete, or overwrite a FrontPage site.
When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned
by user "httpd" instead of a site-specific user. The Apache web server
is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run
as the user that owns the CGI instead of "httpd", but it is trivial to
bypass cgiwrap and run scripts as user "httpd".
You can bypass cgiwrap because the Apache config files have the line
"AllowOverride All". All you have to do is create an .htaccess file
with these lines in it:
Options +ExecCGI
AddHandler cgi-script .cgi
Then CGIs in that directory will be run with the web server's access as
user "httpd".
As far as I can tell, the only "safe" things in an AllowOverride line in
the Apache config are AuthConfig, Indexes, and Limit (these allow users
some control over their pages without bypassing system security settings
in the server config).
This same AllowOverride setting pretty much nullifies the "Enable CGI
Scripts" and "Enable Server Side Includes" options on the site
administration config for a web site, since CGI and SSI can be enabled
through a .htaccess file even if the administrator disables them.
From BugTraq post:
There is a security problem with FrontPage extensions on the Cobalt RaQ2
and RaQ3 web hosting appliances. It allows any user on the system to
change, delete, or overwrite a FrontPage site.
When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned
by user "httpd" instead of a site-specific user. The Apache web server
is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run
as the user that owns the CGI instead of "httpd", but it is trivial to
bypass cgiwrap and run scripts as user "httpd".
You can bypass cgiwrap because the Apache config files have the line
"AllowOverride All". All you have to do is create an .htaccess file
with these lines in it:
Options +ExecCGI
AddHandler cgi-script .cgi
Then CGIs in that directory will be run with the web server's access as
user "httpd".
As far as I can tell, the only "safe" things in an AllowOverride line in
the Apache config are AuthConfig, Indexes, and Limit (these allow users
some control over their pages without bypassing system security settings
in the server config).
This same AllowOverride setting pretty much nullifies the "Enable CGI
Scripts" and "Enable Server Side Includes" options on the site
administration config for a web site, since CGI and SSI can be enabled
through a .htaccess file even if the administrator disables them.
Exploit / POC
Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
Solution:
Cobalt Networks has released patches for the RaQ 3i and RaQ 2 which fix this issue.
Cobalt RaQ 2.0
Cobalt RaQ 3.0
Solution:
Cobalt Networks has released patches for the RaQ 3i and RaQ 2 which fix this issue.
Cobalt RaQ 2.0
-
Cobalt RaQ2 fpx_patch1.tar.gz
ftp://ftp.cobaltnet.com/pub/experimental/security/frontpage/fpx_patch1 .tar.gz
Cobalt RaQ 3.0
-
Cobalt RaQ3i fpx_patch1.tar.gz
ftp://ftp.cobaltnet.com/pub/experimental/security/frontpage/fpx_patch1 .tar.gz
References
Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability
References:
References: