httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <Martin.Krae...@mch.sni.de>
Subject [CGI Security] Hole in Netscape Commerce Server
Date Tue, 07 Oct 1997 19:48:59 GMT
The german computer magazine c't reported in an article published on
24-Sep-97 <URL:http://www.heise.de/newsticker/data/hb-24.09.97-000/>
(in german!) about a hole that exists in Netscape Commerce- and
Communication Server Version 1.12 and 2.0 (and which was stuffed
in apache long ago -- was it?!?):
when a CGI document is access protected, the protection can be
circumvented just by appending a /xxx path info to the CGI URL. The
examples which are demonstrated by c't can be tested at
<URL:http://www.heise.de/bin/showsecrets>   (protected CGI script) and
<URL:http://www.heise.de/bin/showsecrets/foobar> (accessible)....

Didn't see a notice about it on this list yet.

    Martin
-- 
| S I E M E N S |  <Martin.Kraemer@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

Mime
View raw message