You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Michael Kurth <ki...@succeed.net> on 1997/04/12 22:10:02 UTC
config/371: echo $CONTENT_TYPE unquoted
>Number: 371
>Category: config
>Synopsis: echo $CONTENT_TYPE unquoted
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: support
>Submitter-Id: apache
>Arrival-Date: Sat Apr 12 13:10:01 1997
>Originator: kill9@succeed.net
>Organization:
apache
>Release: up to 1.1.3, not sure of 1.2+
>Environment:
N/A - test-cgi script included by default
>Description:
test-cgi echos $CONTENT_TYPE unquoted. content type can be a user supplied variable if they telnet or use netcat to send
GET /cgi-bin/test-cgi HTTP/1.0
Content-type: *
they will get a directory listing of the cgi-bin
this is a well known bug and I am surprised to see the 'secure' distribution of 1.1.3 still has the test-cgi with this same hole.
>How-To-Repeat:
GET /cgi-bin/test-cgi HTTP/1.0
Content-type: *
>Fix:
put EVERYTHING that could possibly result in the accidental execution of other commands in quote
>Audit-Trail:
>Unformatted: