From BugTraq post: There is a security problem with FrontPage extensions on the Cobalt RaQ2 and RaQ3 web hosting appliances. It allows any user on the system to change, delete, or overwrite a FrontPage site. When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned by user "httpd" instead of a site-specific user. The Apache web server is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run as the user that owns the CGI instead of "httpd", but it is trivial to bypass cgiwrap and run scripts as user "httpd". You can bypass cgiwrap because the Apache config files have the line "AllowOverride All". All you have to do is create an .htaccess file with these lines in it: Options +ExecCGI AddHandler cgi-script .cgi Then CGIs in that directory will be run with the web server's access as user "httpd". As far as I can tell, the only "safe" things in an AllowOverride line in the Apache config are AuthConfig, Indexes, and Limit (these allow users some control...
From BugTraq post: There is a security problem with FrontPage extensions on the Cobalt RaQ2 and RaQ3 web hosting appliances. It allows any user on the system to change, delete, or overwrite a FrontPage site. When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned by user "httpd" instead of a site-specific user. The Apache web server is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run as the user that owns the CGI instead of "httpd", but it is trivial to bypass cgiwrap and run scripts as user "httpd". You can bypass cgiwrap because the Apache config files have the line "AllowOverride All". All you have to do is create an .htaccess file with these lines in it: Options +ExecCGI AddHandler cgi-script .cgi Then CGIs in that directory will be run with the web server's access as user "httpd". As far as I can tell, the only "safe" things in an AllowOverride line in the Apache config are AuthConfig, Indexes, and Limit (these allow users some control over their pages without bypassing system security settings in the server config). This same AllowOverride setting pretty much nullifies the "Enable CGI Scripts" and "Enable Server Side Includes" options on the site administration config for a web site, since CGI and SSI can be enabled through a .htaccess file even if the administrator disables them.
