You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Reuben Smith <w0...@hotmail.com> on 1998/05/05 17:24:09 UTC
general/2182: test-cgi security flaw
>Number: 2182
>Category: general
>Synopsis: test-cgi security flaw
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue May 5 08:30:00 PDT 1998
>Last-Modified:
>Originator: w0rms1gn@hotmail.com
>Organization:
apache
>Release: 1.2.6 and 1.3b6
>Environment:
un-important -- it's higher level than OS
>Description:
This is just a bug in the test-cgi script that's distributed with your server.
I occurs when you simply append " *" or something like that to the end of a
server that has the test-cgi script viewable to the public. It allows the
remote user to list any files on the remote system that the user running
test-cgi can list (i guess it runs as nobody, normally). This is bad.
I'm sure you don't recommend that people keep that script on their site -- but
at the same time, it's not good to introduce security holes if they do so.
>How-To-Repeat:
"http://web.foo.com/cgi-bin/test-cgi /*"
>Fix:
just put quotes around the $SERVER_PROTOCOL variable in the script... it might
be an idea to put quotes around all the variables, so that silly problems like
this don't pop up again.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]