OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success


Thanks Eric-

This is the relevant area of the apache2.conf file:
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

<Directory /usr/lib/cgi-bin>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

#i know /cgi-bin doesn't exist but I'm pounding my head against a wall here
<Directory /cgi-bin>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>


#<Directory /srv/>
#    Options Indexes FollowSymLinks
#    AllowOverride None
#    Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

and my .htaccess files which are located in /usr/lib/cgi-bin and in /var/www/html/wormbot
AuthUserFile /home/jpitt/wormbot/passwords
AuthName "Please enter your password"
AuthType Basic
Require valid-user
Satisfy All




Here's from the access.log:
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET /cgi-bin/experimentbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1" 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"

You can see the icon images are being blocked (401 code)

error.log is clean

I've also attached a screenshot of what this looks like...I've gotten the same result when I use the apache2.config to set the authorization for the cgi-bin rather than use a .htaccess file

On Tue, Aug 14, 2018 at 6:37 PM, Eric Covener <covener@xxxxxxxxx> wrote:
On Tue, Aug 14, 2018 at 9:33 PM Jason Pitt <jnpitt@xxxxxx> wrote:
>
> Hello-
>
> I'm having an issue with trying to configure apache that I'm hoping someone can help me address.  I have several scripts located in the cgi-bin that I want to control access to.   I'm able to either put an .htaccess file in the cgi-bin or modify the apache2.conf file to prompt for a username and password when the url to the cgi script is entered into a browser, however...the script executes and sends content to the browser window before the user enters anything into the authorization dialog...furthermore the user can just cancel the authorization dialog and can then interact with the cgi generated content...the only thing getting blocked by apache is access to actual files on the webserver.  How do I prevent this behavior?
>
It sounds like you may not be protecting the right
URL/files/directories. What's the relevant config and URL being
accessed? What does the access log say?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
/*
Jason Pitt PhD                                   206.616.1193
Kaeberlein Lab                                   jnpitt@xxxxxx
University of Washington
Department of Pathology
Health Sciences Building                    Box 357470
1989 NE Pacific Street
Seattle, WA 98195
*/

Attachment: Screenshot from 2018-08-14 19-25-49.png
Description: PNG image

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx