Vulnerability Development mailing list archives
Re: CGI source being exposed using "~"
From: jlgaddis () BLUERIVER NET (Jeremy Gaddis)
Date: Sun, 7 May 2000 20:54:59 -0500
At 03:02 PM 5/7/00 -0400, Nathan Einwechter wrote:
This problem allows anyone to view and download the source for any of the
CGI scripts on their site. All that I >did, was put a tild "~" at the end of the url to the cgi, and it popped up with the CGI source code, and some
images etc, which the code references to within. None of it is formated
when you first view it. However, if you >just view the source of the page, right there infront of you, is the entire source code for the Perl CGI script. [snip] There are certain *nix text editors (i.e. vi, vim, etc.) that save a backup copy of the file you are working on. I use vim on a few linux machines (including my web server). If you open up an already existing file, say script.cgi, in vim, and you modify and rewrite the file to disk, the original will be saved as script.cgi~. Apache (if correctly configured) knows how to handle .cgi's. But a file named script.cgi~ is not a cgi script, as far as apache is concerned. I believe this is what is occuring, though I may very be wrong. I just tried this on my web server. Where script.cgi~ did not exist, I received the normal 404 error. When script.cgi~ did exist, the source code was displayed in my browser. -jg -- Jeremy L. Gaddis <jlgaddis () blueriver net>
Current thread:
- Re: CGI source being exposed using "~", (continued)
- Re: CGI source being exposed using "~" phi-vuldev () EXORSUS NET (May 07)
- Re: CGI source being exposed using "~" Andrew Reisse (May 07)
- Re: CGI source being exposed using "~" Pavel Kankovsky (May 09)
- Re: CGI source being exposed using "~" javier (May 07)
- Re: CGI source being exposed using "~" Joe (May 08)
- Re: CGI source being exposed using "~" Bluefish (May 09)
- Re: CGI source being exposed using "~" Arturo Busleiman (May 08)
- Re: CGI source being exposed using "~" Jordan Dimov (May 08)
- Re: CGI source being exposed using "~" Adam Clarke (May 08)
- Re: CGI source being exposed using Labu Labi (May 08)
- Re: CGI source being exposed using "~" Jeremy Gaddis (May 07)
- Re: CGI source being exposed using "~" Irwan Shahrin Ismail (May 07)
- Re: CGI source being exposed using "~" George Capehart (May 08)
- Re: CGI source being exposed using "~" Brian McKinney (May 08)
- Re: CGI source being exposed using "~" Joe (May 09)
- Alternative ways of IP spoofing? Max.P (May 09)
- Re: Alternative ways of IP spoofing? Justin Randall (May 09)
- AIM bug or feature jeff D (May 09)
- Re: AIM bug or feature Alistair Orchard (May 09)
- Punishment Blue Boar (May 09)
- Re: AIM bug or feature Justin Lintz (May 10)