general/2182: test-cgi security flaw

[Reuben Smith <w0...@hotmail.com>]

>Number:         2182
>Category:       general
>Synopsis:       test-cgi security flaw
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue May  5 08:30:00 PDT 1998
>Last-Modified:
>Originator:     w0rms1gn@hotmail.com
>Organization:
apache
>Release:        1.2.6 and 1.3b6
>Environment:
un-important -- it's higher level than OS
>Description:
This is just a bug in the test-cgi script that's distributed with your server.
I occurs when you simply append " *" or something like that to the end of a
server that has the test-cgi script viewable to the public.  It allows the
remote user to list any files on the remote system that the user running
test-cgi can list (i guess it runs as nobody, normally).  This is bad.

I'm sure you don't recommend that people keep that script on their site -- but
at the same time, it's not good to introduce security holes if they do so.
>How-To-Repeat:
"http://web.foo.com/cgi-bin/test-cgi /*"
>Fix:
just put quotes around the $SERVER_PROTOCOL variable in the script... it might 
be an idea to put quotes around all the variables, so that silly problems like
this don't pop up again.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]