[Pkg-nagios-devel] Bug#679476: icinga-cgi: apache config DirectoryMatch contains some subtle critical bugs'
Christoph Anton Mitterer
calestyo at scientia.net
Fri Jun 29 02:17:45 UTC 2012
Package: icinga-cgi
Version: 1.7.1-1
Severity: important
Tags: security
Hi.
Being a security nerd I'd actually consider this severity grave but anyway:
I stumbled myself accross the subtle black magic behind Apache PCRE match
directives just before and reported some documentation improvement
ideas upstream (read that for the long details):
https://issues.apache.org/bugzilla/show_bug.cgi?id=53483
In apache2.conf example you use:
<DirectoryMatch "^(/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)">
As far as I can see, this is NOT from the upstream sources right? If so I'd have to report that
upstream, too.
That pattern is security critical as it also matches directories like:
/usr/share/icinga/htdocsMY-SECRET-STUFF
/usr/lib/cgi-bin/icinga-never-execute-this
Well of course one can always argue, if people do such weird stuff, it's their fault, but we
can never know which setups may be reasonable for them.
In principle (!) the following should work (note the trailing /):
"^(?:/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)/"
This matches the directories themselves and any subdirs, but NOT dirs starting with these strings.
Unfortunately there is still something wrong (which may be a bug in Apache), see:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53483#c2
Icinga may be unaffected by this, as we only go in via aliases,... I will try that tomorrow.
So please keep the bug open until we could trace everything down :)
Cheers,
Chris.
btw: The ?: in the beginning means, that the subpatterns (the (...) thingys) are not captured, which
makes things a bit faster.
More information about the Pkg-nagios-devel
mailing list