Going from 12523 to 12533 broke my script in /tmp/www/cgi-bin

[frater]

Going from 12523 to 12533 broke my script in /tmp/www/cgi-bin

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=25015&postdays=0&postorder=asc&start=14

Someone else was having this issue while I didn't. Upgrading to 12533 gave me the same problem.

[BrainSlayer]

for security reasons we had to removed this obsolete feature which is not used by any dd-wrt code anymore. see www.dd-wrt.com for more info. this feature will not be reintroduced. maybe a alternate variant

[frater]

Couldn't the httpserver itself be secured or only turn it off when the server listens to WAN? This means no asterisk monitoring through http anymore :(

[phuzi0n]

Many people used this to run custom scripts. Most notably the autoap web interface. Please consider reintroducing it in a secured manor such as the random session id that has been suggested.

[thawk]

I would also like to have cgi script support re-introduced. I have several scripts which are no longer functional since I upgraded to a build after 12533; as a consequence, I'm seriously considering downgrading to an earlier build, and using iptables to fix the httpd vulnerability.

[thawk]

Not to be presumptuous, but after looking over 'httpd.c', a possible fix for the most egregious part of the vulnerability (allowing arbitrary commands included in the URL to be executed) is the following:

NOTE: new lines are designated by '+'. '...' denotes omitted lines.

+const char *file_dir;
+char *file_path;

...

   if (containsstring(file, "cgi-bin")) {
+     file_dir = server_dir != NULL ? server_dir : "/www";
+     len = strlen(file_dir);
+     len += strlen(file);
+     file_path = (char *)alloca((len+1)*sizeof(char));
+     (void)sprintf(file_path, "%s%s", file_dir, file);
+
+     if ( access(file_path, X_OK) != 0 )
+        send_error(401, "Bad Request", (char *)0, "Invalid CGI script specified");
+        return;
+     }

This fix would allow only valid (executable) scripts to be run, and would prevent exploits such as the following from working:

​http://192.168.1.1/cgi-bin/;reboot

[kingsmill]

Disabling cgi scripts has broken some code I am running. Please re-instate the capability to run cgi scripts.

[nguyen]

Accessing ​http://192.168.1.1/cgi-bin/ you need username and password isn't it? If this is true, then what is the problem?

[nguyen]

Replying to nguyen:

Accessing ​http://192.168.1.1/cgi-bin/ you need username and password isn't it? If this is true, then what is the problem?

OK, I have seen the code.

[somekool]

could not we replace this milli-httpd by lighttpd?

where is the config of this httpd server? and where are the files? /www contains empty directories only...