Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CGI directory path

From: mock () ACTIVESTATE COM (mock () ACTIVESTATE COM)
Date: Mon, 20 Mar 2000 17:39:26 -0800

On Mon, Jul 08, 2019 at 08:54:22AM +0200, NiGHTfly wrote:

Hi

 I am a new system administrator for a company(by new I mean I have only
 worked for 2 weeks for them!) I was going throught all the setting and
 configurations of the servers, until I came across this on our website :

 In the url dialog box of netscape I typed :

 xxx.xxx.xxx.xxx being a replacement for the REAL address :)

 http://xxx.xxx.xx.xx/cgi-bin/*.pl

 I did this to see if I will get a directory listing of all the perl scripts.
 But what I did get was the following :

 CGI Error

 The specified CGI application misbehaved by not returning a complete
 set of HTTP headers.

 Can't open perl script "D:\data_file\*.pl" : Invalid argument.

Okay I know this is bad, but in what way? How and what can a script
 kiddie do with a full directory path? and how can I fix this?


It's bad because it lets the kiddie know what your current working directory
is.  Making it much easier to determine exactly how many '../'s are needed to
get at a specific file.  You can fix it by setting the 'check that file exists'
checkbox in the script mappings.

mock
Previous By Date Next
Previous By Thread Next

Current thread: