You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@mch.sni.de> on 1997/10/07 21:48:59 UTC

[CGI Security] Hole in Netscape Commerce Server

The german computer magazine c't reported in an article published on
24-Sep-97 <URL:http://www.heise.de/newsticker/data/hb-24.09.97-000/>
(in german!) about a hole that exists in Netscape Commerce- and
Communication Server Version 1.12 and 2.0 (and which was stuffed
in apache long ago -- was it?!?):
when a CGI document is access protected, the protection can be
circumvented just by appending a /xxx path info to the CGI URL. The
examples which are demonstrated by c't can be tested at
<URL:http://www.heise.de/bin/showsecrets>   (protected CGI script) and
<URL:http://www.heise.de/bin/showsecrets/foobar> (accessible)....

Didn't see a notice about it on this list yet.

    Martin
-- 
| S I E M E N S |  <Ma...@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request