httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: WWW Form Bug Report: "Security hole in test-cgi" on Linux
Date Sun, 02 Jun 1996 01:13:05 GMT

Hmm, I couldn't replicate his problem, but given that test-cgi is a SH 
script, maybe it shouldn't be in there, particularly since "printenv" 
(the only other script now in cgi-bin by default) does roughly the same 
thing.

	Brian

On Fri, 31 May 1996, Aram Mirzadeh wrote:
> Thanks for the report.  We'll see about fixing this asap. 
> 
> <Aram>
> 
> >Return-Path: nobody@hyperreal.com
> >From: doug@mitchcraft.com
> >To: awm@qosina.com
> >Date: Thu May 30 23:07:21 1996
> >Subject: WWW Form Bug Report: "Security hole in test-cgi" on Linux
> >
> >Submitter: doug@mitchcraft.com
> >Operating system: Linux, version: 1.2.13
> >Version of Apache Used: 1.0.5
> >Extra Modules used: Stock RedHat
> >URL exhibiting problem: http://www.mitchcraft.com/cgi-bin/test-cgi?word *
> >
> >Symptoms:
> >--
> >The asterisk is being put into the SERVER_PROTOCOL
> >field and because that line of test-cgi is not
> >quoted allows listing of server's files.
> >
> >Mine is now quoted, so try it out.
> >
> >http://www.mitchcraft.com/cgi-bin/test-cgi?word *
> >--
> >
> >Backtrace:
> >--
> >
> >--
> >
> --
> Aram W. Mirzadeh, MIS Manager, Qosina Corporation
> http://www.qosina.com/~awm/, awm@qosina.com
> Apache httpd server team http://www.apache.org
> 
> 
> 
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  |  We're hiring!  http://www.organic.com/Home/Info/Jobs/


Mime
View raw message