Re: CGI source being exposed using "~"

[jlgaddis () BLUERIVER NET (Jeremy Gaddis)]

At 03:02 PM 5/7/00 -0400, Nathan Einwechter wrote:

> This problem allows anyone to view and download the source for any of the
CGI scripts on their site. All that I >did, was put a tild "~" at the end
of the url to the cgi, and it popped up with the CGI source code, and some
> images etc, which the code references to within. None of it is formated
when you first view it. However, if you >just view the source of the page,
right there infront of you, is the entire source code for the Perl CGI script.

[snip]

There are certain *nix text editors (i.e. vi, vim, etc.) that save
a backup copy of the file you are working on.  I use vim on a few
linux machines (including my web server).  If you open up an already
existing file, say script.cgi, in vim, and you modify and rewrite the
file to disk, the original will be saved as script.cgi~.  Apache
(if correctly configured) knows how to handle .cgi's.  But a file
named script.cgi~ is not a cgi script, as far as apache is concerned.

I believe this is what is occuring, though I may very be wrong.  I
just tried this on my web server.  Where script.cgi~ did not exist,
I received the normal 404 error.  When script.cgi~ did exist, the
source code was displayed in my browser.

-jg

--
Jeremy L. Gaddis      <jlgaddis () blueriver net>