* Re: cygwin package-* cgi scripts removed
[not found] ` <20040712230501.GA12996@trixie.casa.cgf.cx>
@ 2004-07-12 23:29 ` Frank Ch. Eigler
0 siblings, 0 replies; only message in thread
From: Frank Ch. Eigler @ 2004-07-12 23:29 UTC (permalink / raw)
To: Christopher Faylor; +Cc: Corinna Vinschen, Sourceware Overseers
[-- Attachment #1: Type: text/plain, Size: 811 bytes --]
Hi -
On Mon, Jul 12, 2004 at 07:05:01PM -0400, Christopher Faylor wrote:
> [...]
> I checked how the breakin happened and believe that I've modified the scripts
> so that they can't be exploited that way again. I thought they were somehow
> doing something with the regexes but they were exploiting an open instead.
While the new code appears more robust, I would appreciate
a far more aggressive checking of the input, such as those
procedures suggested on the web for securing CGI scripts.
For example, the script should reject any access outside its
base file hierarchy (../../../../etc/passwd). (The "h1" procedure
call by the way is generating errors - see /var/log/httpd/*error_log.)
Are you sure that you need this script at all, by the way, rather
than using plain HEADER / DirectoryIndex?
- FChE
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-07-12 23:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20040712181228.GA13734@redhat.com>
[not found] ` <20040712192018.GA11315@trixie.casa.cgf.cx>
[not found] ` <20040712201925.GI1389@cygbert.vinschen.de>
[not found] ` <20040712230501.GA12996@trixie.casa.cgf.cx>
2004-07-12 23:29 ` cygwin package-* cgi scripts removed Frank Ch. Eigler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).