From nobody@hyperreal.com Thu May 22 13:35:57 1997 Received: (from nobody@localhost) by hyperreal.com (8.8.5/8.8.5) id NAA01229; Thu, 22 May 1997 13:35:57 -0700 (PDT) Message-Id: <199705222035.NAA01229@hyperreal.com> Date: Thu, 22 May 1997 13:35:57 -0700 (PDT) From: Steve Ford Reply-To: sford@futuresource.com To: apbugs@hyperreal.com Subject: POST to an htaccess-protected cgi doesn't challange user X-Send-Pr-Version: 3.2 >Number: 606 >Category: mod_auth-any >Synopsis: POST to an htaccess-protected cgi doesn't challange user >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu May 22 13:40:01 1997 >Last-Modified: Thu May 22 15:16:40 PDT 1997 >Originator: sford@futuresource.com >Organization: >Release: 1.2b10 >Environment: FreeBSD 2.1.7.1, gcc version 2.6.3 >Description: I have a CGI script in a directory that has an ".htaccess" file requiring the user to belong to a certain group. If I enter that CGI URL as a browser location, it correctly challanges me for username and password. The same thing happens when I get to the CGI via the "GET" method. In both cases, the script is run with the "REMOTE_USER" environment variable set to the username, and the access log file shows the access coming from username. However, if I get there via a POST method (with a freshly started browser, of course), it lets me right into the script. Unlike the above two methods, the script is run _without_ "REMOTE_USER" set, and the access log file shows the access coming from user "-". No error messages appear in the error log. The above behavior also happens if the browser has already supplied the username and password. I.e., the script is run without "REMOTE_USER" set and the access log shows the user "-". It's as if apache forgets to check for ".htaccess" when the method is POST. FYI - I don't know if it makes any difference, but the CGI is under a virtual server. Also, the cgi-bin directory is under the document tree, with an appropriate ScriptAlias in the httpd.conf file. >How-To-Repeat: Available on request. >Fix: >Audit-Trail: From: Marc Slemko To: Steve Ford Subject: Re: mod_auth-any/606: POST to an htaccess-protected cgi doesn't challange user Date: Thu, 22 May 1997 15:03:06 -0600 (MDT) On Thu, 22 May 1997, Steve Ford wrote: > I have a CGI script in a directory that has an ".htaccess" file requiring > the user to belong to a certain group. If I enter that CGI URL as a browser > location, it correctly challanges me for username and password. The same thing And exactly what do you have in the .htaccess file? A "Limit GET" by any chance? If so, that will limit GETs just as it says. From: sford@futuresource.com (Steve Ford) To: marcs@znep.com Subject: Re: mod_auth-any/606: POST to an htaccess-protected cgi doesn't challange user Date: Thu, 22 May 1997 16:42:45 -0500 marcs@znep.com sez: > On Thu, 22 May 1997, Steve Ford wrote: > > I have a CGI script in a directory that has an ".htaccess" file requiring > > the user to belong to a certain group. ... > > And exactly what do you have in the .htaccess file? A "Limit GET" by > any chance? If so, that will limit GETs just as it says. HEY!!! How did you manage to hack into our site and read our .htaccess file??? So, to protect myself from everything, I just get rid of the and lines. Then, just like it says, "If an access control directive appears outside a directive, then it applies to all access methods." (See http://www.apache.org/docs/mod/core.html#limit) Sorry and thanks. Steve Ford State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Thu May 22 15:16:39 PDT 1997 State-Changed-Why: User had a "Limit GET" which was only limiting GETs. >Unformatted: