PATCH FOR OPENDAP'S CGI-BASED SERVERS Updated 1 May 2007 The replacement get_url() function declared that it used the Perl module CGI. That declaration can be removed because the module is not needed. The extra declaration does not present any security or performance issues, but on some systems this module is not present and to get the patched server to work it had to be loaded. Since it's not needed, we've removed the line. Thanks to John Dalton for this information. The text of the original patch follows. 27 APRIL 2007 This file describes how to patch the OPeNDAP CGI-based data server so that it no longer suffers from a known security vulnerability which allows people to run arbitrary commands on computers which host the server. It applies to server version 3.2.10 to 3.7.4 which were released between 12/31/2002 and 4/25/2007. Please read over the instructions before you start. If you need help, you can mail us at security-help at opendap.org. That address is not a list and your message will go directly to one of the developers who will help you. Why provide a by-hand patch instead of an automatic one? We decided to provide a 'manual' patch because to wide range of servers still in use. To apply this patch you will need to do three things, outlined below. None of these are very complicated, but you will need to be able to write to the directory (or directories) where your server is installed. You may also need to have the privileges needed to install a Perl module (which often means you need to have root privileges). To find the Perl module, DODS_Dispatch.pm, and the main CGI script, nph-dods, look you can do any of the following: Use the 'locate' command to see where the files were installed; Looking in you web server's configuration file to see where the CGI is located (often this is /etc/httpd/conf/httpd.conf, although our 3.7.x RPM distributions put an opendap_apache.conf file in/etc/httpd/conf.d/); Or you can look in likely places such as /usr/local/etc (for older servers) /usr/local/share/dap-server and /usr/local/share/dap-server-cgi (newer) /usr/share/dap-server and /usr/share/dap-server-cgi (newer, RPMs) Step 1. In the file DODS_Dispatch.pm, find the function get_url(). It be around line 800, depending on the version you have and will like this (all affected versions of the function look essentially the same): sub get_url { my $self = shift; my $url = shift; my $transfer = $self->curl() . " --silent " . $url . " |"; my $buf; print( DBG_LOG "About to run curl: $transfer\n" ) if $debug > 1; # Use the HTML error message format since this is only used via a web # browser, never a client built with our library. 11/21/03 jhrg open CURL, $transfer or print_error_message( $self, "Could not transfer $url: \n\ Unable to open the transfer utility (curl).\n", 0 ); print( DBG_LOG "Back from curl\n" ) if $debug > 1; my $offset = 0; my $bytes; while ( $bytes = read CURL, $buf, 20, $offset ) { $offset += $bytes; } close CURL; return $buf; } Replace that with: sub get_url { my $self = shift; my $url = shift; use LWP::Simple; use FilterDirHTML; # FilterDirHTML is a subclass of HTML::Filter print(DBG_LOG "get_url: Getting the directory listing using: $url\n") if $debug > 1; my $directory_html = &get($url); return $directory_html } You can do the edits in step 2 by hand, but use cut/paste for the above since it's easy to make a small typo. A typo won't (unless it's _very_ creative) make you server insecure, but the server probably won't work. Step 2. Look in the nph-dods program for this line (which older servers don't have): my $dodster = is_dodster( $dispatch->filename() ); If it's present, change it to: my $dodster = ""; If you don't see this, then skip to step 2b. Step 2b. Look in nph-dods for: $dispatch = new DODS_Dispatch( "DAP2/" .... Where is some version number like "3.7.4", or "3.4". Change that to "3.8.0". This is not technically true, you're really still running a patched version 3.2.x or 3.7.x or whatever server, but this provides a way to see that your server has been patched in a way that won't break client programs. Step 3. Verify that the Perl LWP module is installed. Do this by running the command: perl -e "use LWP;" It should return nothing if the module is installed; it will return an error stating it "Can't locate LWP.pm" if not. In that case install the LWP Perl module. One way to do this is to use the 'cpan' utility as like: sudo cpan -i LWP And answer the questions as it prompts you. 4. Verify the patch. The server's version response should be '3.8.0'. In a browser, look at http:///cgi-bin/nph-dods/version. If you are running the server in a special CGI bin directory, use its name instead of 'cgi-bin'. If you get this, you're done.