httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark-Jason Dominus <>
Subject Seeking information about old NCSA httpd `finger' bug
Date Mon, 22 Jun 1998 13:51:27 GMT

Back around 1995 or so there was a problem with a sample application
distributed with NCSA httpd.  The application was a shell script that
was supposed to deliver the `finger' service on the web.  

The problem was pretty typical; I think if you put some sort of shell
metacharacter into the query string, you could get the program to
execute arbitrary commands.  But I don't remember it exactly.  

I am going to be giving a talk about security and the WWW, and I
wanted to discuss this episode.  I've been over the CERT archives and
I can't find any information about it, and I've even dug up the old
source code and found the script, but I can't figure out how to
exercise the bug.

Is there anyone who remembers this and can remind me of the details?

View raw message