www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Kearns <dkea...@mot.com>
Subject mod_negotiation/497: cgi-bin negotiation bug -> Security hole
Date Mon, 28 Apr 1997 19:30:02 GMT

>Number:         497
>Category:       mod_negotiation
>Synopsis:       cgi-bin negotiation bug -> Security hole
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Apr 28 12:30:01 1997
>Originator:     dkearns@mot.com
>Release:        1.2b8
AIX/Solaris, 4.x,2.5.x, gcc, etc.
If content-negotiation is turned on generally, and a cgi program (say foo.cgi)
is called unqualified, say as /cgi-bin/foo, it loses its script-ness, and
returns the source code as text/html!!

Find a script named foo.cgi on a machine with content-neg on, and
call it as foo ... yikes!
This is obviously pretty bad. I will turn off negotiation in cgi-bin dirs,
and I think something like <Files ~ .cgi|.pl> -ContentNegotiation 
(or whatever the syntax is) will plug the hole generally, but what happens if
there are alternate version of a script, eg foo.cgi.es|en ?

Seems like maybe mod_negotiation should be moved the other side of mod_cgi
in the Makefile?? I don't know what that might affect though...

View raw message