>Number: 371 >Category: config >Synopsis: echo $CONTENT_TYPE unquoted >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: support >Submitter-Id: apache >Arrival-Date: Sat Apr 12 13:10:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: up to 1.1.3, not sure of 1.2+ >Environment: N/A - test-cgi script included by default >Description: test-cgi echos $CONTENT_TYPE unquoted. content type can be a user supplied variable if they telnet or use netcat to send
GET /cgi-bin/test-cgi HTTP/1.0 Content-type: * they will get a directory listing of the cgi-bin this is a well known bug and I am surprised to see the 'secure' distribution of 1.1.3 still has the test-cgi with this same hole. >How-To-Repeat: GET /cgi-bin/test-cgi HTTP/1.0 Content-type: * >Fix: put EVERYTHING that could possibly result in the accidental execution of other commands in quote >Audit-Trail: >Unformatted:
