The contract type is `' with a response time of 3 business hours.
A first analysis should be sent before: Mon Apr 14 11:00:00 PDT 1997
>Number: 370
>Category: mod_env
>Synopsis: Modified PATH environemnt variable is not passed, instead
>system's is used
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sat Apr 12 07:20:00 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2.x
>Environment:
DEC-MIPS Ultrix 4.4, gcc 2.7.2.2, BIND 4.9.4p1
>Description:
The use of a modified environemt PATH is not reflected in the
actual $PATH passed to the CGI. It may constitute a security hole
as the $PATH used is that of the owner of the parent process (root).
>How-To-Repeat:
please see http://www.ecology.umsl.edu/cgi-bin/envchk.cgi
>Fix:
N/A. In principle the use of mod_disallaow_id is a workaround to
potential backdoors
>Audit-Trail:
>Unformatted:
