httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jennifer Myers <jmy...@marigold.eecs.nwu.edu>
Subject Re: util.c hole and speed of security patch release
Date Tue, 23 Apr 1996 05:05:40 GMT
I wrote:

> PATH_INFO nor QUERY_STRING are).  I guess the guy at NASIRC has found
> a CGI script which relies on argv not being escaped...
                                    ^^^
Oops, typo! Strike the "not".

In any case, I don't believe any of the CGI programs distributed with
Apache or NCSA httpd meet the requisite contrived conditions for an
exploit by way of the newline character being missing in
escape_shell_cmd().

--
Jennifer Myers				http://www.eecs.nwu.edu/~jmyers/


Mime
View raw message