[12844] in bugtraq
Re: FormHandler.cgi
daemon@ATHENA.MIT.EDU (Kevin Hemenway)
Fri Dec 3 18:31:37 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000f01bf3da6$33945d90$160e40d8@infoservecorp.com>
Date: Fri, 3 Dec 1999 10:51:02 -0500
Reply-To: Kevin Hemenway <info@TOTALNETNH.NET>
From: Kevin Hemenway <info@TOTALNETNH.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Regarding previous messages concerning FormHandler.cgi on 11/8/99 and
11/15/99 and how four lines of code can send anyone your passwd file:
I had previous stated that you could add '..' to the
@RESTRICTED_ATTACH_DIRS. This is incorrect and actually breaks the
'email_template' (and possibly others) feature. You can however use the
following:
@RESTRICTED_ATTACH_DIRS = ('/etc/','\.\.');
This made 'email_template' work again, but could have broken something else.
Kevin Hemenway
-- -----------------------------------------------------------------
Total Net NH, LLC EMAIL: <info@totalnetnh.net>
15 Pleasant St., Suite 11 WEBSITE: <http://www.totalnetnh.net/>
Concord, NH 03301 PHONE: (603) 225-8422
--------------------------------------------------------------------
