You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Michael Kurth <ki...@succeed.net> on 1997/04/12 22:10:02 UTC

config/371: echo $CONTENT_TYPE unquoted

>Number:         371
>Category:       config
>Synopsis:       echo $CONTENT_TYPE unquoted
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          support
>Submitter-Id:   apache
>Arrival-Date:   Sat Apr 12 13:10:01 1997
>Originator:     kill9@succeed.net
>Organization:
apache
>Release:        up to 1.1.3, not sure of 1.2+
>Environment:
N/A - test-cgi script included by default
>Description:
test-cgi echos $CONTENT_TYPE unquoted. content type can be a user supplied variable if they telnet or use netcat to send

GET /cgi-bin/test-cgi HTTP/1.0
Content-type: *

they will get a directory listing of the cgi-bin
this is a well known bug and I am surprised to see the 'secure' distribution of 1.1.3 still has the test-cgi with this same hole.
>How-To-Repeat:
GET /cgi-bin/test-cgi HTTP/1.0
Content-type: *
>Fix:
put EVERYTHING that could possibly result in the accidental execution of other commands in quote
>Audit-Trail:
>Unformatted: