ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
Description: CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
Solutions
Configurations
The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix.
Workarounds
* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.
* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.
* Remove mod_cgi from the httpd modules chain if CGI functionality is not required.