Re: CGI source being exposed using "~"

[petek () BSOD NET (Pete Krawczyk)]

Date: Sun, 7 May 2000 15:02:21 -0400
From: Nathan Einwechter <compsecure () softhome net>
Subject: CGI source being exposed using "~"

}This problem allows anyone to view and download the source for any of
}the CGI scripts on their site. All that I did, was put a tild "~" at the
}end of the url to the cgi, and it popped up with the CGI source code, and
}some images etc, which the code references to within. None of it is
}formated when you first view it. However, if you just view the source of
}the page, right there infront of you, is the entire source code for the
}Perl CGI script.

Emacs will often save older backup copies of files with a ~ at the end of
the file.  Therefore, what you are seeing are copies of the original
script that someone was editing with Emacs.

I don't use Emacs, so I couldn't tell you how to not do that, but that's
not the fault of Apache.  I tried it on a few servers that had Apache
1.3.9/mod_perl 0.21 (according to Netcraft) and the condition you
described doesn't exist.

You may want to tell your ISP to delete the backup files, then.

-Pete K

--
Pete Krawczyk
  petek at bsod dot net or pkrawczy at uiuc dot edu
  http://www.uiuc.edu/ph/www/pkrawczy/
  Finger pkrawczy at uiuc dot edu for PGP public key