httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: Security interest
Date Fri, 31 May 1996 16:32:48 GMT
>> In reply to Dirk.vanGulik who said
> > 
> > Yup :-( it is true, we have to get serious on the setuid stuff
> > I am afraid.
> > 
> > 
> > #!/bin/sh
> > telnet some-host-somewhere 80 <<"EOM"
> > POST /cgi-bin/perl HTTP/1.0
> 
> I wouldn't worry too much about this. If you're dumb enough to put
> interpreters in your cgi-bin then you're in big trouble. The fix is quite
> simply to not do it, there's absolutely no reason to.
> 
Hmm, I just did a quick Momspider run with the sites from my hotlist
on /cgi-bin/[perl,sh,csh,..] and I came across quite a few. So this does
warrant some kind of

	- putting this in the documentation

	- screaming hell if the setuid does not work.

	- insisting that the stuff send down the wire is
	  really a POST; I do not think that the protocol 
  	  allows for such things such as returns, but had
	  all escaped using a %0a etc. ?

Or am I overreactin :-)

Dw.

Mime
View raw message