Date: Tue, 23 May 2000 10:00:45 -0500 From: Chris Adams <cmadams@HIWAAY.NET> Subject: Problem with FrontPage on Cobalt RaQ2/RaQ3 To: BUGTRAQ@SECURITYFOCUS.COM There is a security problem with FrontPage extensions on the Cobalt RaQ2 and RaQ3 web hosting appliances. It allows any user on the system to change, delete, or overwrite a FrontPage site. When a site is uploaded with FP to a RaQ2/3, all of the files are owned by user "httpd" instead of a site-specific user. The Apache web server is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run as the user that owns the CGI instead of "httpd", but it is trivial to bypass cgiwrap and run scripts as user "httpd". You can bypass cgiwrap because the Apache config files have the line "AllowOverride All". All you have to do is create an .htaccess file with these lines in it: Options +ExecCGI AddHandler cgi-script .cgi Then CGIs in that directory will be run with the web server's access as user "httpd". As far as I can tell, the only "safe" things in an AllowOverride line in the Apache config are AuthConfig, Indexes, and Limit (these allow users some control over their pages without bypassing system security settings in the server config). This same AllowOverride setting pretty much nullifies the "Enable CGI Scripts" and "Enable Server Side Includes" options on the site administration config for a web site, since CGI and SSI can be enabled through a .htaccess file even if the administrator disables them. I reported this to Cobalt on March 3 and got a response that they were testing a fix that they were going to release the next week. Then I discussed it on the cobalt-users mailing list (hosted at Cobalt) the first week of April, when a Cobalt employee asked me not to take it to BUGTRAQ because they were working on a fix. However, almost two months later (and three months since the problem was initially reported), no fix is available. -- Chris Adams <firstname.lastname@example.org> Systems and Network Administrator - HiWAAY Information Services I don't speak for anybody but myself - that's enough trouble.