Received: by taz.hyperreal.com (8.6.12/8.6.5) id WAA20713;
 Mon, 22 Apr 1996 22:05:46 -0700
Received: from marigold.eecs.nwu.edu by taz.hyperreal.com (8.6.12/8.6.5) with
 ESMTP id WAA20708; Mon, 22 Apr 1996 22:05:43 -0700
Received: (from jmyers@localhost) by marigold.eecs.nwu.edu (8.7.4/8.7.3) id
 AAA01597 for new-httpd@hyperreal.com; Tue, 23 Apr 1996 00:05:40 -0500 (CDT)
Message-Id: <199604230505.AAA01597@marigold.eecs.nwu.edu>
Subject: Re: util.c hole and speed of security patch release
To: new-httpd@hyperreal.com
Date: Tue, 23 Apr 1996 00:05:40 -0500 (CDT)
In-Reply-To: <199604230449.XAA01164@marigold.eecs.nwu.edu> from "Jennifer
 Myers" at Apr 22, 96 11:49:08 pm
From: Jennifer Myers <jmyers@marigold.eecs.nwu.edu>
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

I wrote:

> PATH_INFO nor QUERY_STRING are).  I guess the guy at NASIRC has found
> a CGI script which relies on argv not being escaped...
                                    ^^^
Oops, typo! Strike the "not".

In any case, I don't believe any of the CGI programs distributed with
Apache or NCSA httpd meet the requisite contrived conditions for an
exploit by way of the newline character being missing in
escape_shell_cmd().

--
Jennifer Myers				http://www.eecs.nwu.edu/~jmyers/