ack sent... I can't seem to replicate the problem, but I thought
I would share it with group, just in case someone else can
replicate it.
I've asked for specifications on the type of system being run on
as well as which modules are being included.
>X-POP3-Rcpt: awm@luers.qosina.com
>From: craig@craigster.com
>To: awm@qosina.com
>Date: Wed Nov 1 17:28:44 1995
>Subject: WWW Form Bug Report: "Security bug involving ScriptAliased
directories" on Linux
>
>Submitter: craig@craigster.com
>Operating system: Linux, version: 1.2.13
>Extra Modules used: none
>URL exhibiting problem: http://www.apache.org//cgi-bin/access_count
>
>Symptoms:
>--
>If someone puts an extra "/" in a URL that points to
>an executable file in a ScriptAliased directory, the
>SOURCE of a Perl script (or binary information for
>compiled programs) is output as plain text.
>
>The problem occurs in both Netscape and Lynx.
>
>Please respond ASAP, as this is a serious security
>issue for us and we're looking for a fix. We have
>triple-checked our configuration files, and don't
>see any problems on our end. The bug is even evident
>APACHE.ORG's server.
>
>Thanks!
>--
>
>Backtrace:
>--
>
>--
>
>
--
Aram W. Mirzadeh, MIS Manager, Qosina Corporation
http://www.qosina.com/~awm/, awm@qosina.com
Apache httpd server team http://www.apache.org
I would share it with group, just in case someone else can
replicate it.
I've asked for specifications on the type of system being run on
as well as which modules are being included.
>X-POP3-Rcpt: awm@luers.qosina.com
>From: craig@craigster.com
>To: awm@qosina.com
>Date: Wed Nov 1 17:28:44 1995
>Subject: WWW Form Bug Report: "Security bug involving ScriptAliased
directories" on Linux
>
>Submitter: craig@craigster.com
>Operating system: Linux, version: 1.2.13
>Extra Modules used: none
>URL exhibiting problem: http://www.apache.org//cgi-bin/access_count
>
>Symptoms:
>--
>If someone puts an extra "/" in a URL that points to
>an executable file in a ScriptAliased directory, the
>SOURCE of a Perl script (or binary information for
>compiled programs) is output as plain text.
>
>The problem occurs in both Netscape and Lynx.
>
>Please respond ASAP, as this is a serious security
>issue for us and we're looking for a fix. We have
>triple-checked our configuration files, and don't
>see any problems on our end. The bug is even evident
>APACHE.ORG's server.
>
>Thanks!
>--
>
>Backtrace:
>--
>
>--
>
>
--
Aram W. Mirzadeh, MIS Manager, Qosina Corporation
http://www.qosina.com/~awm/, awm@qosina.com
Apache httpd server team http://www.apache.org