Re: www-sql cgi prog overrides .htaccess restrictions.
Stunt Pope (markjr@SHMOOZE.NET)
Mon, 09 Feb 1998 12:27:25 -0500
On 09-Feb-98 Mr LEROY christophe wrote:
>www-sql is a cgi program to access a mysql database via a http server
>and create easyly some pages from a query result.
>
>That program acts as a filter, using PATH_TRANSLATED feature to
>access html files on your server tree, and it translates <! sql ...> tags
>into html viewable text, letting other parts of the html file unchanged.
>
>The problem is that www-sql performs nothing to verify if a user can
>access the intended PATH_TRANSLATED file.
>
>So, suppose your htdocs tree is /home/htdocs/
>you have a subdirectory /home/htdocs/protected/ in which you have
>you have restricted access using .htaccess file.
>In your browser, enter URL http://your.server/protected/something.html:
>you get prompted a username and a password.
>Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html:
>you get the requested file
>
>www-sql is available into Incoming sunsite directory
This is a common characteristic of other "cgi-wrapper" programs as well,
including w3-msql and php.cgi. The latter addresses this by giving one
the option to set PATTERN_RESTRICT at compile time (that way it will
only load files ending in say ".phtml"), or by compiling as an apache
module. I'm not sure about w3-msql because I haven't been following it
for quite some time.
regards, markjr
---
Mark Jeftovic aka: mark jeff or vic, stunt pope.
markjr@shmOOze.net http://www.shmOOze.net/~markjr
PWC's BOFH http://www.PrivateWorld.com
irc: L-bOMb Keep `em Guessing