The following bug was found to affect all platforms and is fixed in 2.0.40 as part of the CAN-2002-0654 incident;
>Date: Mon, 29 Jul 2002 15:27:03 -0700 >From: Jim Race <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Security regression in 2.0.39 (Win32)? > >In previous versions of 2.0.n, there was a bug in which the absolute path >was revealed when calling certain CGI scripts. > >I performed a default install (only knocked down the number of threads in >httpd.conf) last Thursday, and today noticed that this appears to have >returned. Note that any previous version of Apache had been completely >uninstalled. > >OS: Win98SE >Installed from Apache binary > >To reproduce: > >1) Open: http://jimrace.com/cgi-bin/printenv.pl > >Result: >HTTP/1.1 500 Internal Server Error >Date: Mon, 29 Jul 2002 18:59:19 GMT >Server: Apache/2.0.39 (Win32) >Vary: accept-language >Accept-Ranges: bytes >Connection: close >Content-Type: text/html; charset=ISO-8859-1 > > ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > > > >Server error! > >Error message: >couldn't create child process: 22502: C:/Program Files/Apache >Group/Apache2/cgi-bin/printenv.pl >================================================================== Feel >free to contact me at this address or mailto:[EMAIL PROTECTED] regards, Jim >Race Independent SQA Contractor 650.212.1311 >--------------------------------------------------------------------- To >unsubscribe, e-mail: [EMAIL PROTECTED] For additional >commands, e-mail: [EMAIL PROTECTED]
