Re: CGI source being exposed using "~"

[RichardS () ADV NET NZ (Richard Stevenson)]

On 7 May 2000, at 15:02, Nathan Einwechter wrote:

> This problem allows anyone to view and download the source for any of the
> CGI scripts on their site. All that I did, was put a tild "~" at the end of
> the url to the cgi, and it popped up with the CGI source code, and some
> images etc, which the code references to within. None of it is formated when
> you first view it. However, if you just view the source of the page, right
> there infront of you, is the entire source code for the Perl CGI script.

Almost certainly Emacs backup files.  They really ought to have better
change-control than Emacs backup files...  they are almost certainly not
*current* copies of the scripts, but will likely give away more information
than is necessary.

> I stumbled onto this because of a page I found on the server (I can't
> remember for the life of me where it was). It was a server generated page,
> that said something about base names, that there where 229, and displayed
> four links. http://server/cgi-bin/index.html
> http://server/cgi-bin/index.html~  [base] http://server/cgi-bin/index.cgi
> http://server/cgi-bin/index.cgi~   [base]

My guess is that they allow listings of directories that don't have an
index.html (or equivalent - this is configurable), so you got a pretty
directory listing.  That shouldn't be allowed in general, and definitely
not in /cgi-bin :-(

Cheers

Richard