www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: mod_negotiation/497: cgi-bin negotiation bug -> Security hole
Date Mon, 28 Apr 1997 19:47:57 GMT
I don't have this problem on a system set up like so:

ScriptAlias /cgi-bin/ /home/www/cgi-bin/
AddHandler cgi-script .cgi

Nor on one using:

AddType application/x-httpd-cgi cgi

How is your system set up?

Dean

On Mon, 28 Apr 1997, Dan Kearns wrote:

> 
> >Number:         497
> >Category:       mod_negotiation
> >Synopsis:       cgi-bin negotiation bug -> Security hole
> >Confidential:   no
> >Severity:       critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Mon Apr 28 12:30:01 1997
> >Originator:     dkearns@mot.com
> >Organization:
> apache
> >Release:        1.2b8
> >Environment:
> AIX/Solaris, 4.x,2.5.x, gcc, etc.
> >Description:
> If content-negotiation is turned on generally, and a cgi program (say foo.cgi)
> is called unqualified, say as /cgi-bin/foo, it loses its script-ness, and
> returns the source code as text/html!!
> 
> >How-To-Repeat:
> Find a script named foo.cgi on a machine with content-neg on, and
> call it as foo ... yikes!
> >Fix:
> This is obviously pretty bad. I will turn off negotiation in cgi-bin dirs,
> and I think something like <Files ~ .cgi|.pl> -ContentNegotiation 
> (or whatever the syntax is) will plug the hole generally, but what happens if
> there are alternate version of a script, eg foo.cgi.es|en ?
> 
> Seems like maybe mod_negotiation should be moved the other side of mod_cgi
> in the Makefile?? I don't know what that might affect though...%0
> >Audit-Trail:
> >Unformatted:
> 
> 
> 


Mime
View raw message