www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reuben Smith <w0rms...@hotmail.com>
Subject general/2182: test-cgi security flaw
Date Tue, 05 May 1998 15:24:09 GMT

>Number:         2182
>Category:       general
>Synopsis:       test-cgi security flaw
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue May  5 08:30:00 PDT 1998
>Originator:     w0rms1gn@hotmail.com
>Release:        1.2.6 and 1.3b6
un-important -- it's higher level than OS
This is just a bug in the test-cgi script that's distributed with your server.
I occurs when you simply append " *" or something like that to the end of a
server that has the test-cgi script viewable to the public.  It allows the
remote user to list any files on the remote system that the user running
test-cgi can list (i guess it runs as nobody, normally).  This is bad.

I'm sure you don't recommend that people keep that script on their site -- but
at the same time, it's not good to introduce security holes if they do so.
"http://web.foo.com/cgi-bin/test-cgi /*"
just put quotes around the $SERVER_PROTOCOL variable in the script... it might 
be an idea to put quotes around all the variables, so that silly problems like
this don't pop up again.
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

View raw message