www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jamie Chamoulos <ja...@efn.org>
Subject general/1605: possible password crack?
Date Mon, 29 Dec 1997 12:35:34 GMT

>Number:         1605
>Category:       general
>Synopsis:       possible password crack?
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Dec 29 04:40:00 PST 1997
>Last-Modified:
>Originator:     jamie@efn.org
>Organization:
apache
>Release:        1.2.4
>Environment:
linux 2.0.32 (upgraded from 2.0.27), apache 1.2.4 i486
>Description:
Someone tried this:
"GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd" 302 -
I got this from the access_log, the error_log shows it failed (client denied by server configuration)
so... is this a security problem? 
when i did the same thing (from a workstation on the same network, i got jetted to
a cgi script on phf.apache.org....
saying im on candid camera~!
???? 
>How-To-Repeat:
http://jamieweb.dyn.ml.org/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
>Fix:
dont even know if its something that needs fixing%2
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message