>Number: 2182 >Category: general >Synopsis: test-cgi security flaw >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue May 5 08:30:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.6 and 1.3b6 >Environment: un-important -- it's higher level than OS >Description: This is just a bug in the test-cgi script that's distributed with your server. I occurs when you simply append " *" or something like that to the end of a server that has the test-cgi script viewable to the public. It allows the remote user to list any files on the remote system that the user running test-cgi can list (i guess it runs as nobody, normally). This is bad.
I'm sure you don't recommend that people keep that script on their site -- but at the same time, it's not good to introduce security holes if they do so. >How-To-Repeat: "http://web.foo.com/cgi-bin/test-cgi /*" >Fix: just put quotes around the $SERVER_PROTOCOL variable in the script... it might be an idea to put quotes around all the variables, so that silly problems like this don't pop up again. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
