W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2003

FW: Problem: Apache + WebDav + CGI = Security Hole

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Thu, 19 Jun 2003 12:06:49 -0700
To: "WebDAV" <w3c-dist-auth@w3.org>
Message-ID: <AMEPKEBLDJJCCDEJHAMIIEDEHPAA.ejw@cse.ucsc.edu>

Accidentally caught by the spam filter.

- Jim

-----Original Message-----
From: Jon Rifkin [mailto:jon@bluet.ucc.uconn.edu]
Sent: Thursday, June 19, 2003 10:19 AM
To: w3c-dist-auth@w3.org
Subject: [Moderator Action] Problem: Apache + WebDav + CGI = Security
Hole




Apache + WebDav + CGI = Security Hole

THE PROBLEM

I'm trying to provide a webserver that allows users to maintain separate
websites and use WebDav to manage their content.  After much development
it has occurred to me that I've created a *serious security hole*, for
while Apache/WebDav restricts users from each other's websites, CGI
scripts have no such restriction,  that is ...

   * Any user's CGI script can write into any another user's website.


For example, suppose you have two websites

  webserver.org/alice
  webserver.org/bob

where the websites 'alice' and 'bob' are managed by their respective
webmasters.  Webdav prevents Alice from writing in Bob's directory and
vice versa.  So far so good.

But, suppose Alice and Bob upload CGI scripts to their websites.  These
scripts will be able to write *anywhere* in the webserver document tree,
that is Alice's CGI script will be able to write into Bob's website and
vice versa, because

  (1) Both Alice's and Bob's scripts run as the apache user.
  (2) The apache user town's the entire webserver document tree.
  (3) Thus, the script will be able to write in any website in
      the document tree.


THE SOLUTION

This is where I need help.  Are there any easy and/or standard or even
feasible ways to do this?

I am currently investigating several ideas each with a unique set of
tradeoffs.

(1) Using a traditional Unix file system with separate users for
    each website and SuExec to enforce permissions on cgi-scripts.
    Will WebDav even run on such a configuration?  I've never tried
    it.

    The down side for me is that Apache SuExec can only assign
    User,Group CGI permission according to Unix home directories
    (I had hoped to create website independent of the Unix user
    mechanism) or by Virtual Host, which means all my web sites
    must be Virtual Hosted and I must still assign Unix accounts.

(2) Two instances of Apache, one instance on port 8080 running WebDav
    but *not* CGI for webmaster to upload content, the other instance on
    port 80 running CGI but *not* WebDav for normal web clients.  The
    two instances would run as different Users,Groups so that CGI
    scripts will run as users who can read but not write to the document
    tree.

    The down side here is that CGI scripts will not be able to use the
    file system for storage.  Any data stored from CGI scripts would
    need to be written to a database such as MySQL.

(3) If I had 6 months to spend, maybe some combination of Apache module
    and kernel module would allow Apache to limit CGI script file access
    to specifically configured directories.  This would require that the
    kernel support a relatively granular ACL for process dependent file
    access that can be manipulated by Apache.


Any suggestions would be most welcome.

- Jon Rifkin
============================================================================
==
# Jon Rifkin     # 860-486-5530    # jon.rifkin@uconn.edu
# Information Technology Services  # University of Connecticut
Received on Thursday, 19 June 2003 15:06:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:04 GMT