httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aram Mirzadeh <...@qosina.com>
Subject Re: WWW Form Bug Report: "Security hole in test-cgi" on Linux
Date Sun, 02 Jun 1996 03:55:38 GMT
> 
> 
> Hmm, I couldn't replicate his problem, but given that test-cgi is a SH 
> script, maybe it shouldn't be in there, particularly since "printenv" 
> (the only other script now in cgi-bin by default) does roughly the same 
> thing.
> 
> 	Brian

I was able to with the default test-cgi program that is shiped with apache. 
And the results were a little more drastic.   As you can see a: 

	http://www.qosina.com/cgi-bin/test-cgi?word *   
	
	This resulted in the files in my cgi-bin dir to be displayed.... 
	If you try his site, the results are quiet different. 

My system... it's a test system that no one has access to, has the Options All
for the cgi-bin dir. 

CGI/1.0 test script report:

argc is 1. argv is word.

REMOTE_IDENT =
HTTP_FROM =
SERVER_SOFTWARE = Apache/1.1b2
SERVER_NAME = linux.mis.qosina.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = Count.cgi anim bottom.html bottom.html.old cam.pl catalog cgi-lib.pl cgi.pl
counter.dave.mod counter.dave1 counter.index country-codes dave-wwwboard.pl dbadmin error404-missing
feedback frame.cgi gwstat imagemap index.cgi index.html ip-stat-qox.cgi ip-stat.cgi ip-stat.cgi.new
lib makestat makestats myoffice.html nph-cam.pl oldlog2new order1 ordering ordertemp phf.DO_NOT_USE
pict.pl post-query qcam qosina-search96 query redhatpackage.cgi search send snap.pl snappush.pl
source_request sqlsearch.cgi stat-qox.cgi stat.950825.cgi stat.951224.cgi stat.960325.cgi
stat.960430.cgi stat.cgi stat.cgi.new test-cgi test-env.pl testcgi update-webstats vend-0.2
vend-mos vendqosmedix w3-msql wwwstats HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
PATH_INFO = 
PATH_TRANSLATED = 
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = word
REMOTE_HOST = awm-p.qosina.com
REMOTE_ADDR = 206.64.187.210
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =


The Reporters system reports: 

ERVER_SOFTWARE = Apache/1.0.5
SERVER_NAME = www.mitchcraft.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = * HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
PATH_INFO = 
PATH_TRANSLATED = 
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = word
REMOTE_HOST = awm-p.qosina.com
REMOTE_ADDR = 206.64.187.210
REMOTE_USER = 
AUTH_TYPE = 
CONTENT_TYPE = 
CONTENT_LENGTH = 

I belive he only has ExecCGI as the Option. 

> > 
> > >Return-Path: nobody@hyperreal.com
> > >From: doug@mitchcraft.com
> > >To: awm@qosina.com
> > >Date: Thu May 30 23:07:21 1996
> > >Subject: WWW Form Bug Report: "Security hole in test-cgi" on Linux
> > >
> > >Submitter: doug@mitchcraft.com
> > >Operating system: Linux, version: 1.2.13
> > >Version of Apache Used: 1.0.5
> > >Extra Modules used: Stock RedHat
> > >URL exhibiting problem: http://www.mitchcraft.com/cgi-bin/test-cgi?word *

<Aram>

-- 
Aram Mirzadeh						awm@qosina.com
MIS Manager				      Apache httpd team member
Qosina Corporation				    aram@hyperreal.com
http://www.qosina.com/			    http://www.qosina.com/~awm

You're not drunk if you can lie on the floor without holding on.
                -- Dean Martin


Mime
View raw message