www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Kurth <ki...@succeed.net>
Subject config/371: echo $CONTENT_TYPE unquoted
Date Sat, 12 Apr 1997 20:10:02 GMT

>Number:         371
>Category:       config
>Synopsis:       echo $CONTENT_TYPE unquoted
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          support
>Submitter-Id:   apache
>Arrival-Date:   Sat Apr 12 13:10:01 1997
>Originator:     kill9@succeed.net
>Organization:
apache
>Release:        up to 1.1.3, not sure of 1.2+
>Environment:
N/A - test-cgi script included by default
>Description:
test-cgi echos $CONTENT_TYPE unquoted. content type can be a user supplied variable if they
telnet or use netcat to send

GET /cgi-bin/test-cgi HTTP/1.0
Content-type: *

they will get a directory listing of the cgi-bin
this is a well known bug and I am surprised to see the 'secure' distribution of 1.1.3 still
has the test-cgi with this same hole.
>How-To-Repeat:
GET /cgi-bin/test-cgi HTTP/1.0
Content-type: *
>Fix:
put EVERYTHING that could possibly result in the accidental execution of other commands in
quote
>Audit-Trail:
>Unformatted:



Mime
View raw message