httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Problem with CGI
Date Sun, 02 Jun 2002 19:24:55 GMT
On Sun, 2 Jun 2002, Lior Hammer wrote:

> Hello,
> I have a littele problem with CGI under RedHat Linux 7.2 with Apache 1.3.22
> i exec these commands:
>
> mkdir /perl
> ln -s /usr/bin/perl /perl/perl
>
> Then, i added these lines to my httpd.conf:
>
> ScriptAlias /perl_location/ "/perl/"

I'm not real clear on what you *expect* to happen if this were to work
"correctly", but this is an amazingly bad idea, as it means that I, as a
random user from the Internet, can pass commands DIRECTLY to your Perl
interpreter to make it do whatever I like, by, for example, accessing
the URL on your server:
http://servername/perl/perl?system(rm%20-rf%20/);

or something of that nature.

This used to be a rather common problem on Windows machines, when folks
would put perl.exe in their cgi directory, but I have not seen this done
on Unix systems before.

-- 
Pilgrim, how you journey on the road you chose
To find out where the winds die and where the stories go
 --Pilgrim (Enya - A Day Without Rain)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message