Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

More test-cgi

From: epenneba () dynamo cso uiuc edu (Erik M Pennebaker)
Date: Thu, 12 Dec 1996 15:22:18 -0600

  After installing apache1.2b1 on a few machines, I noticed that:

http://some.machine.some.edu/cgi-bin/test-cgi? *

(note the space after the "?")

Gives:

argc is 0. argv is .

SERVER_SOFTWARE = Apache/1.2b1
[etc]
SERVER_PROTOCOL = printenv test-cgi HTTP/1.0
[etc]
QUERY_STRING =
[etc]

Note the file listing in the "SERVER_PROTOCOL" field.  I've tried this on
a few versions of the server, as far back as 1.03.

It seems that distributions that changed $QUERY_STRING to "$QUERY_STRING"
are still open to remote file listing.

Sorry if this was mentioned already...I looked around my archive and the
web archive, and only saw holes involving query_string.

   Quoting $SERVER_PROTOCOL seems to fix it....almost as well as deleting
test-cgi.

-Erik

--
-----
Erik Pennebaker  |  http://www.uiuc.edu/ph/www/epenneba  |   epenneba () uiuc edu
                           Question Reality
CCSO Workstation Support Group, University of Illinois         My opinions
Previous By Date Next
Previous By Thread Next

Current thread: