httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From TOKI...@aol.com
Subject Re: WIN32 CGI - SECURITY THREAT - 4 OF 4
Date Tue, 26 Jan 1999 03:42:57 GMT
In a message dated 99-01-26 03:13:26 EST, you write:

> I suggest that you enter them into the bug database at
>  http://bugs.apache.org/.  That way they can be tracked in a more organized
>  manner than just posted to a mailing list.  Not that posting things for
>  discussion first was wrong - that was fine - but posting them to the bugdb
>  would help ensure closure. 
>  
>  	Brian
>  

If I get a chance I will.

The WIN32 CGI issues that may or may not be addressed by
the postings are already OPEN PR's.

There are over 92 OPEN PR's already regarding CGI. A lot of
them are Win32.

The postings represent possible solutions for existing problems.
Not new problems.

The 'security' posting is pending. I still have not heard from anyone
who wrote that piece of code if it should be a PR or not. I'll leave it
up to them. As stated... I (personally) am not seriously affected
since I don't run a public Web Server. INTRA-NET only here and
small number of trusted developers.

Mark Slemko has requested a 'real demonstration' of why 
non-checked calling of any command shell under Win32 can
offer opporutinites to 'escape' the 'normal' security considerations
and I will supply him with such an example. If, at that time,
Mr Slemko thinks it's a problem I'll fire a PR on it.

Mime
View raw message