httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aram W. Mirzadeh" <...@qosina.com>
Subject WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux
Date Thu, 02 Nov 1995 16:57:21 GMT

ack sent... I can't seem to replicate the problem, but I thought
I would share it with group, just in case someone else can 
replicate it.  

I've asked for specifications on the type of system being run on
as well as which modules are being included.


>X-POP3-Rcpt: awm@luers.qosina.com
>From: craig@craigster.com
>To: awm@qosina.com
>Date: Wed Nov  1 17:28:44 1995
>Subject: WWW Form Bug Report: "Security bug involving ScriptAliased
directories" on Linux
>
>Submitter: craig@craigster.com
>Operating system: Linux, version: 1.2.13
>Extra Modules used: none
>URL exhibiting problem: http://www.apache.org//cgi-bin/access_count
>
>Symptoms:
>--
>If someone puts an extra "/" in a URL that points to 
>an executable file in a ScriptAliased directory, the 
>SOURCE of a Perl script (or binary information for 
>compiled programs) is output as plain text.  
>
>The problem occurs in both Netscape and Lynx.
>
>Please respond ASAP, as this is a serious security 
>issue for us and we're looking for a fix.  We have 
>triple-checked our configuration files, and don't 
>see any problems on our end.  The bug is even evident 
>APACHE.ORG's server.
>
>Thanks!
>--
>
>Backtrace:
>--
>
>--
>
>
--
Aram W. Mirzadeh, MIS Manager, Qosina Corporation
http://www.qosina.com/~awm/, awm@qosina.com
Apache httpd server team http://www.apache.org



Mime
View raw message