From nobody@hyperreal.com Mon Apr 28 12:22:43 1997 Received: (from nobody@localhost) by hyperreal.com (8.8.5/8.8.5) id MAA18853; Mon, 28 Apr 1997 12:22:43 -0700 (PDT) Message-Id: <199704281922.MAA18853@hyperreal.com> Date: Mon, 28 Apr 1997 12:22:43 -0700 (PDT) From: Dan Kearns Reply-To: dkearns@mot.com To: apbugs@hyperreal.com Subject: cgi-bin negotiation bug -> Security hole X-Send-Pr-Version: 3.2 >Number: 497 >Category: mod_negotiation >Synopsis: cgi-bin negotiation bug -> Security hole >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Apr 28 12:30:01 1997 >Last-Modified: Fri May 2 15:30:54 PDT 1997 >Originator: dkearns@mot.com >Organization: >Release: 1.2b8 >Environment: AIX/Solaris, 4.x,2.5.x, gcc, etc. >Description: If content-negotiation is turned on generally, and a cgi program (say foo.cgi) is called unqualified, say as /cgi-bin/foo, it loses its script-ness, and returns the source code as text/html!! >How-To-Repeat: Find a script named foo.cgi on a machine with content-neg on, and call it as foo ... yikes! >Fix: This is obviously pretty bad. I will turn off negotiation in cgi-bin dirs, and I think something like -ContentNegotiation (or whatever the syntax is) will plug the hole generally, but what happens if there are alternate version of a script, eg foo.cgi.es|en ? Seems like maybe mod_negotiation should be moved the other side of mod_cgi in the Makefile?? I don't know what that might affect though... %0 >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: dgaudet State-Changed-When: Fri May 2 15:30:54 PDT 1997 State-Changed-Why: Solved by using "AddHandler cgi-script .cgi" and/or by turning off multiviews in the cgi-bin directory. For example: Options ExecCGI Thanks for using Apache! Dean >Unformatted: