RE: HTTP Server Security Issue -- MIDRANGE-L

John,

Possibly, but I doubt it.

The thing is, on V3R2, if I used the URL to call CGIPGM1:
http://my.as400.com/cgi-bin/cgipgm1?parm1=hello

It would error out saying that cgipgm1, in lower case, could not be found.
cgi-bin is mapped to library AS/400 CGI so is is in the QSYS portion of the
IFS.  

Now, since we are up to V4R3, this URL _will_ work.  The only problem is, I
have a PROTECT directive on CGIPGM1 so that no one can access the info
without a userid and password.  This works find as long as the URL contains
CGIPGM1 in upper case.  But if it's in lower case, or mixed case (A log of
patterns with 6 letters that can work), it blows right by the PROTECT
directive.

Brad

Bradley V. Stone
Taylor Corporation - OASIS Programmer/Analyst   
bvstone@taylorcorp.com


> -----Original Message-----
> From: John Earl [SMTP:johnearl@toolnet.com]
> Sent: Tuesday, April 27, 1999 1:52 AM
> To:   MIDRANGE-L@midrange.com
> Subject:      Re: HTTP Server Security Issue
> 
> Brad,
> 
> I was just reading that the major difference between the root "/" file
> system and
> the QOpenSys file system is that the QOpenSys file systems supports case
> sensitive object names and root, QDLS, and QSYS.LIB do not.     Could this
> explain the behavior you saw?
> 
> jte
> 
> Stone, Brad V (TC) wrote:
> 
> > Recently I was playing around with a CGI program that I developed to run
> on
> > our old V3R2 machine.  Now we are on V4R3.  In the past, I'm sure that
> when
> > you were calling an RPG CGI program it had to be in uppercase in the
> URL.
> >
> > Now it seams it doesn't matter.  Using
> > /cgi-bin/CGIPGM1
> > or
> > /cgi-bin/cgipgm1
> >
> > Will do the same thing and call the CGI program just fine.  Which leads
> to
> > an interesting point:
> >
> > If you have a protection directive set up in your HTTP Config on
> > CGIPGM1.PGM, if the user types the URL in in lower case, the protection
> is
> > ignored.
> >
> > Taking this a step further, any combination of upper and lower case will
> be
> > ignore except the EXACT protection directive you have given.  So, if
> your
> > directive looks like this:
> >
> > Protect /QSYS.LIB/AS400CGI.LIB/CGIPGM.PGM CGIPGMP
> >
> > where CGIPGMP is a protection directive set up, if the user types in
> > CGIPGM on the url, the protection will work.  If, on the other hand,
> they
> > type in
> > cgipgm
> > CgiPgm
> > cgiPgm
> > etc.. etc...
> >
> > The protection is ignored.
> >
> > This has got to be a bug or else I'm missing something else here.  I'd
> like
> > to hear from anyone using a protection directive on an CGI program and
> see
> > if they have the same results.
> >
> > Bradley V. Stone
> > Taylor Corporation - OASIS Programmer/Analyst
> > bvstone@taylorcorp.com
> >
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > +---
> 
> 
> 
> --
> John Earl   johnearl@toolnet.com
> 
> PowerTech Toolworks  206-575-0711
> PowerLock Network Security www.toolnet.com
> The 400 School   www.400school.com
> --
> 
> 
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---