Charles Steinkuehler wrote:
>
> > Why do you need both of these?
> >
> > /var/sh-www/cgi-bin/viewlogs
> > /var/sh-www/cgi-bin/viewlogs-www -> viewlogs
>
> Take a look at the code...
>
> The script includes code to prevent 'directory walking' attacks, so
> something like:
>
> http://myfirewall.com/cgi-bin/viewlogs?../../etc/passwd
>
> will fail. The symlink is used to change the basename of the program, which
> is then used to select the root directory to provide files from. There are
> many other ways this could be done, but this is the one I picked. One
> reason was to avoid parsing a parameter provided by the user, which is
> always a bit dangerous and tricky in shell-script (just look at how many
> buffer based attacks there are for 'real' programs!).
OK, now I understand.
Is this, then, a security hole ???
/var/sh-log -> /var/log
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
