I came across a possible security hole in tcl-httpd.
If you hit a url that is some suffix added to a valid url the server
will try to execute the valid file like a CGI script.
For example hitting the url:
http://localhost:8015/license.terms/foo
results in:
Got the error Bad Request
while trying to obtain /license.terms/foo.
Don't know how to execute CGI
d:/ifc/tcl/tmp/tclhttpd2.3.7/htdocs/license.terms
(Of course if this is a tcl or perl or exe file the server will just
execute it).
>From DocDomain in doc.tcl we have the culprit call:
if {![DocFallback $path $suffix $sock]} {
# Couldn't find anything.
# check for cgi script in the middle of the path
Cgi_Domain $virtual $directory $sock $suffix
}
-Jeff McWhirter
