You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 1998/05/05 23:10:00 UTC
Re: general/2182: test-cgi security flaw (fwd)
The following reply was made to PR general/2182; it has been noted by GNATS.
From: Marc Slemko <ma...@znep.com>
To: Apache bugs database <ap...@apache.org>
Cc: Subject: Re: general/2182: test-cgi security flaw (fwd)
Date: Tue, 5 May 1998 13:53:40 -0600 (MDT)
---------- Forwarded message ----------
Date: Tue, 05 May 1998 12:15:25 PDT
From: wOrm sign <w0...@hotmail.com>
To: marc@apache.org, marc@hyperreal.org
Cc: apache-bugdb@apache.org
Subject: Re: general/2182: test-cgi security flaw
>Synopsis: test-cgi security flaw
>
>State-Changed-From-To: open-analyzed
>State-Changed-By: marc
>State-Changed-When: Tue May 5 08:32:47 PDT 1998
>State-Changed-Why:
>What OS are you using?
>
>Are you sure you aren't using an old copy of test-cgi?
>
>The version distributed with Apache is _NOT_ vulnerable to
>this problem unless you use a very broken shell. Note the:
>
># disable filename globbing
>set -f
>
>line.
Hey, sorry about that. I'm mistaken. I downloaded the tar/gziped
source this morning to make sure the bug still existed, without actually
trying the script. I looked for quotes, and saw none, not thinking that
a more robust solution might have been implemented. The test-cgi script
I use on my home box is indeed very old.
I'm not that familiar with this PR system, so maybe if you could close
this for me...
sorry again, Reuben
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com