Cobalt RaQ cgiwrap User Bypass

2000-05-23T00:00:00
ID OSVDB:1346
Type osvdb
Reporter OSVDB
Modified 2000-05-23T00:00:00

Description

Vulnerability Description

Cobalt RaQ contain a flaw that allows a malicious user to bypass restrictions imposed by .htaccess files. The flaw is due to RaQ servers assigning ownership of uploaded files to "httpd" instead of specific users. RaQ servers use 'cgiwrap' to ensure scripts are run as the user instead of httpd, but this can bypassed by creating a specially crafted .htaccess file containing parameters that will run the scripts under the 'httpd' user privileges.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Cobalt Networks has released a patch to address this vulnerability.

Short Description

Cobalt RaQ contain a flaw that allows a malicious user to bypass restrictions imposed by .htaccess files. The flaw is due to RaQ servers assigning ownership of uploaded files to "httpd" instead of specific users. RaQ servers use 'cgiwrap' to ensure scripts are run as the user instead of httpd, but this can bypassed by creating a specially crafted .htaccess file containing parameters that will run the scripts under the 'httpd' user privileges.

References:

Vendor Specific Advisory URL Nessus Plugin ID:10041 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-05/0259.html ISS X-Force ID: 4531 CVE-2000-0431 Bugtraq ID: 1238