[3787] in bugtraq
More test-cgi
daemon@ATHENA.MIT.EDU (Erik M Pennebaker)
Thu Dec 12 19:01:00 1996
Date: Thu, 12 Dec 1996 15:22:18 -0600
Reply-To: epenneba@uiuc.edu
From: Erik M Pennebaker <epenneba@dynamo.cso.uiuc.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
After installing apache1.2b1 on a few machines, I noticed that:
http://some.machine.some.edu/cgi-bin/test-cgi? *
(note the space after the "?")
Gives:
argc is 0. argv is .
SERVER_SOFTWARE = Apache/1.2b1
[etc]
SERVER_PROTOCOL = printenv test-cgi HTTP/1.0
[etc]
QUERY_STRING =
[etc]
Note the file listing in the "SERVER_PROTOCOL" field. I've tried this on
a few versions of the server, as far back as 1.03.
It seems that distributions that changed $QUERY_STRING to "$QUERY_STRING"
are still open to remote file listing.
Sorry if this was mentioned already...I looked around my archive and the
web archive, and only saw holes involving query_string.
Quoting $SERVER_PROTOCOL seems to fix it....almost as well as deleting
test-cgi.
-Erik
--
-----
Erik Pennebaker | http://www.uiuc.edu/ph/www/epenneba | epenneba@uiuc.edu
Question Reality
CCSO Workstation Support Group, University of Illinois My opinions
