You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Andrew Wilson <an...@tees.elsevier.co.uk> on 1995/11/02 17:36:16 UTC
Re: WWW Form Bug Report: "Security bug involving ScriptAliased
directories" on Linux
> ack sent... I can't seem to replicate the problem, but I thought
> I would share it with group, just in case someone else can
> replicate it.
>
> I've asked for specifications on the type of system being run on
> as well as which modules are being included.
>
>
> >X-POP3-Rcpt: awm@luers.qosina.com
> >From: craig@craigster.com
> >To: awm@qosina.com
> >Date: Wed Nov 1 17:28:44 1995
> >Subject: WWW Form Bug Report: "Security bug involving ScriptAliased
> directories" on Linux
> >
> >Submitter: craig@craigster.com
> >Operating system: Linux, version: 1.2.13
> >Extra Modules used: none
> >URL exhibiting problem: http://www.apache.org//cgi-bin/access_count
> >
> >Symptoms:
> >--
> >If someone puts an extra "/" in a URL that points to
> >an executable file in a ScriptAliased directory, the
> >SOURCE of a Perl script (or binary information for
> >compiled programs) is output as plain text.
Yuk, right. Some weird interraction of the u+x code possibly.
Or perhaps...
> >The problem occurs in both Netscape and Lynx.
> >
> >Please respond ASAP, as this is a serious security
> >issue for us and we're looking for a fix. We have
> >triple-checked our configuration files, and don't
> >see any problems on our end. The bug is even evident
> >APACHE.ORG's server.
Shit. Someone check this ASAP? I think it's a showstopper.