Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Date: Sun, 2 Jun 2002 15:24:55 -0400 (EDT)
From: Rich Bowen <rbowen@rcbowen.com>
To: <users@httpd.apache.org>
Subject: Re: Problem with CGI
In-Reply-To: <006b01c20a9c$7003d330$0300000a@hammer>
Message-ID: <Pine.LNX.4.33.0206021522090.4157-100000@rhiannon.rcbowen.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Sun, 2 Jun 2002, Lior Hammer wrote:

> Hello,
> I have a littele problem with CGI under RedHat Linux 7.2 with Apache 1.3.22
> i exec these commands:
>
> mkdir /perl
> ln -s /usr/bin/perl /perl/perl
>
> Then, i added these lines to my httpd.conf:
>
> ScriptAlias /perl_location/ "/perl/"

I'm not real clear on what you *expect* to happen if this were to work
"correctly", but this is an amazingly bad idea, as it means that I, as a
random user from the Internet, can pass commands DIRECTLY to your Perl
interpreter to make it do whatever I like, by, for example, accessing
the URL on your server:
http://servername/perl/perl?system(rm%20-rf%20/);

or something of that nature.

This used to be a rather common problem on Windows machines, when folks
would put perl.exe in their cgi directory, but I have not seen this done
on Unix systems before.

-- 
Pilgrim, how you journey on the road you chose
To find out where the winds die and where the stories go
 --Pilgrim (Enya - A Day Without Rain)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org