httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@nueva.pvt.k12.ca.us>
Subject Re: Vulnerability in test-cgi
Date Sat, 07 Dec 1996 03:24:58 GMT
On Fri, 6 Dec 1996, Rob Hartill wrote:

> thanks for the information. We'll take a look. It doesn't sound like
> a serious problem but it doesn't hurt to get rid of it.

Actually, it is a serious problem (it can basically be used to get a
complete directory listing of the entire filesystem). But we went
through this a few months ago, when we were first made aware of
it. Which is (one of the reasons) we got rid of the CGI scripts we
used to include, and disabled execution of the two that are there. I
did think that we had at least fixed test-cgi, though... it's the
addition of a coupla quotation marks. *shrug*

And it's not just Content-type - it's all the unquoted variables in
that script. REQUEST_METHOD was the one we looked at originally.

-- 
________________________________________________________________________
Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/


Mime
View raw message