[Secure-testing-team] Bug#479276: [lighttpd] New configuration executes scripts outside of /cgi-bin/

Marcus Fritzsch m at fritschy.de
Sun May 4 02:56:35 UTC 2008 

Package: lighttpd
Version: 1.4.19-2
Severity: important
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---
The new configuration included with lighttpd contains the following
lines:

-----snip-----
cgi.assign      = (
  ".pl"  => "/usr/bin/perl",
  ".php" => "/usr/bin/php-cgi",
  ".py"  => "/usr/bin/python",
)
-----snap-----

These lines make it possible for scripts outside of /cgi-bin/ and w/o
exec permission to be executed by their respective (according to the
mapping) interpreters. Most likely the scripts will show some errors
like the following in the error log:

-----snip-----
Traceback (most recent call last):
File "/<path>/<file>.py", line 12, in <module>
import wx, math, time
ImportError: No module named wx
-----snap-----

Which is one of my scripts I hosted within my data files - i do not
have any cgi's for that matter.

Please correct the 10-cgi.conf in conf-available/ to a safe default.

Cheers, Marcus

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.24-1-686

Debian Release: lenny/sid
  500 unstable        ftp.de.debian.org 
  500 unstable        deb.opera.com 
    1 experimental    ftp.de.debian.org 

--- Package information. ---
Depends                            (Version) | Installed
============================================-+-==============
libattr1                       (>= 2.4.41-1) | 1:2.4.41-1
libbz2-1.0                                   | 1.0.5-0.1
libc6                             (>= 2.7-1) | 2.7-10
libfam0                                      | 
libldap-2.4-2                     (>= 2.4.7) | 2.4.7-6.1
libpcre3                            (>= 7.4) | 7.6-2
libssl0.9.8                    (>= 0.9.8f-5) | 0.9.8g-8
libterm-readline-perl-perl                   | 1.0302-1
lsb-base                          (>= 3.0-3) | 3.2-12
mime-support                                 | 3.40-1.1
zlib1g                          (>= 1:1.1.4) | 1:1.2.3.3.dfsg-12


-- 
/* name>Marcus Fritzsch   www>fritschy.de   gnupg>98A1D365   icq>53118621
jabber>fritschy at jabber.ap-wdsl.de  /-------------------------------------
----------------------------------/  */s(c,t){return isalpha(c)&&t?s(65-c
         &&97-c?c-1:c+25,t-1):c;}main(){for(;;)putchar(s(getchar(),13));}

More information about the Secure-testing-team mailing list