security hole. bluff?

[Rob Hartill <ha...@ooo.lanl.gov>]

has anyone yet seen an example of how to exploit 
the recent security "hole"?

Re: security hole. bluff?

[Brian Behlendorf <br...@organic.com>]

On Mon, 22 Apr 1996, Tom Tromey wrote:
> Rob> has anyone yet seen an example of how to exploit the recent
> Rob> security "hole"?
> 
> I saw a note on comp.infosystems.www.servers.unix that indicated that
> there was no way to exploit the hole.  The message said that the
> reason \n should be escaped is for poorly-written CGIs.  The author
> said he had talked to the originator of the report...
> 
> I have no idea if this bears any relation to reality.

The gentleman whose message I responded to, bcc'ing the list, came back 
and said "I don't have to prove anything to you, if you just read 
comp.security you're way out of the loop, this hole has compromised 
some of the biggest sites on the net".  I asked him to put up or shut up, 
and he has yet to come back.  

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  |  We're hiring!  http://www.organic.com/Home/Info/Jobs/

Re: security hole. bluff?

[Tom Tromey <tr...@creche.cygnus.com>]

Rob> has anyone yet seen an example of how to exploit the recent
Rob> security "hole"?

I saw a note on comp.infosystems.www.servers.unix that indicated that
there was no way to exploit the hole.  The message said that the
reason \n should be escaped is for poorly-written CGIs.  The author
said he had talked to the originator of the report...

I have no idea if this bears any relation to reality.

Tom
-- 
tromey@cygnus.com                 Member, League for Programming Freedom