Vulnerability Development mailing list archives
Re: CGI source being exposed using "~"
From: areisse () WAM UMD EDU (Andrew Reisse)
Date: Sun, 7 May 2000 22:23:02 -0400
Those are editor backups. Most editors save a backup copy as <file>~,
and the server doesn't send those off to the cgi handler, so it just sends
the contents.
On my servers, I put a section like this in httpd.conf to prevent editor
backups from being read (which, as you said, might contain passwords or
other interesting data)
<Files ~ "^\~">
Order allow,deny
Deny from all
</Files>
Andrew
On Sun, 7 May 2000, Nathan Einwechter wrote:
Hello all, I have searched SecurityFocus and bugtraq archives to see if this is a known issue, but did not turn up anything. So, I will post my questions here. Recently while playing on my local ISPs website I stumbled into, what is obviously, a security problem. This problem allows anyone to view and download the source for any of the CGI scripts on their site. All that I did, was put a tild "~" at the end of the url to the cgi, and it popped up with the CGI source code, and some images etc, which the code references to within. None of it is formated when you first view it. However, if you just view the source of the page, right there infront of you, is the entire source code for the Perl CGI script. Now, the particular script I started to play around with, was one where you put in your username/password for the ISP, to find out how many points you have for reffering customers. Based on the number of points you have collected, you can purchase certain items for free. I was able to manipulate the vars etc, such that I could give myself thousands of these points, and if I really wanted to, order the items. This is obviously a problem, but why is it occuring? As far as I can tell, the server is running on Apache 1.3.9 (linux). I stumbled onto this because of a page I found on the server (I can't remember for the life of me where it was). It was a server generated page, that said something about base names, that there where 229, and displayed four links. http://server/cgi-bin/index.html http://server/cgi-bin/index.html~ [base] http://server/cgi-bin/index.cgi http://server/cgi-bin/index.cgi~ [base] I believe. The server has been contacted, but as of yet, nothing has come out of it. I would also like to note that the servers web page is, in general, not secure once so ever. They have directory traversal problems et al. Yours truly Nathan Einwechter PS Please do not stereotype people whome are teenagers, and interested in security as "Crackers" or "Script Kiddies" as many of us are not.
Current thread:
- CGI source being exposed using "~" Nathan Einwechter (May 07)
- Re: CGI source being exposed using "~" Jonathan Williams (May 07)
- Re: CGI source being exposed using "~" Brian Hatch (May 07)
- Re: CGI source being exposed using "~" Richard Stevenson (May 07)
- Re: CGI source being exposed using "~" Pete Krawczyk (May 07)
- Re: CGI source being exposed using "~" phi-vuldev () EXORSUS NET (May 07)
- Re: CGI source being exposed using "~" Andrew Reisse (May 07)
- Re: CGI source being exposed using "~" Pavel Kankovsky (May 09)
- Re: CGI source being exposed using "~" javier (May 07)
- Re: CGI source being exposed using "~" Joe (May 08)
- Re: CGI source being exposed using "~" Bluefish (May 09)
- Re: CGI source being exposed using "~" Arturo Busleiman (May 08)
- Re: CGI source being exposed using "~" Jordan Dimov (May 08)
- Re: CGI source being exposed using "~" Adam Clarke (May 08)
- Re: CGI source being exposed using Labu Labi (May 08)
- <Possible follow-ups>
- Re: CGI source being exposed using "~" Jeremy Gaddis (May 07)
- Re: CGI source being exposed using "~" Irwan Shahrin Ismail (May 07)
(Thread continues...)