From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 13693 invoked by alias); 12 Jul 2004 23:29:28 -0000 Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: , Sender: overseers-owner@sources.redhat.com Received: (qmail 13642 invoked from network); 12 Jul 2004 23:29:25 -0000 Received: from unknown (HELO mx1.redhat.com) (66.187.233.31) by sourceware.org with SMTP; 12 Jul 2004 23:29:25 -0000 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.10/8.12.10) with ESMTP id i6CNTPe3000558 for ; Mon, 12 Jul 2004 19:29:25 -0400 Received: from pobox.toronto.redhat.com (pobox.toronto.redhat.com [172.16.14.4]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i6CNTP008908; Mon, 12 Jul 2004 19:29:25 -0400 Received: from touchme.toronto.redhat.com (IDENT:postfix@touchme.toronto.redhat.com [172.16.14.9]) by pobox.toronto.redhat.com (8.12.8/8.12.8) with ESMTP id i6CNTOvU032552; Mon, 12 Jul 2004 19:29:24 -0400 Received: from tooth.toronto.redhat.com (tooth.toronto.redhat.com [172.16.14.29]) by touchme.toronto.redhat.com (Postfix) with ESMTP id 645CD800341; Mon, 12 Jul 2004 19:29:24 -0400 (EDT) Received: from tooth.toronto.redhat.com (IDENT:BrSfJAf0LNn2p/IOEY0bckvwQyoaz06G@localhost [127.0.0.1]) by tooth.toronto.redhat.com (8.12.8/8.12.8) with ESMTP id i6CNTOdS026738; Mon, 12 Jul 2004 19:29:24 -0400 Received: (from fche@localhost) by tooth.toronto.redhat.com (8.12.8/8.12.8/Submit) id i6CNTNlA026735; Mon, 12 Jul 2004 19:29:23 -0400 Date: Mon, 12 Jul 2004 23:29:00 -0000 From: "Frank Ch. Eigler" To: Christopher Faylor Cc: Corinna Vinschen , Sourceware Overseers Subject: Re: cygwin package-* cgi scripts removed Message-ID: <20040712232923.GA30961@redhat.com> References: <20040712181228.GA13734@redhat.com> <20040712192018.GA11315@trixie.casa.cgf.cx> <20040712201925.GI1389@cygbert.vinschen.de> <20040712230501.GA12996@trixie.casa.cgf.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline In-Reply-To: <20040712230501.GA12996@trixie.casa.cgf.cx> User-Agent: Mutt/1.4.1i X-SW-Source: 2004-q3/txt/msg00027.txt.bz2 --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-length: 811 Hi - On Mon, Jul 12, 2004 at 07:05:01PM -0400, Christopher Faylor wrote: > [...] > I checked how the breakin happened and believe that I've modified the scripts > so that they can't be exploited that way again. I thought they were somehow > doing something with the regexes but they were exploiting an open instead. While the new code appears more robust, I would appreciate a far more aggressive checking of the input, such as those procedures suggested on the web for securing CGI scripts. For example, the script should reject any access outside its base file hierarchy (../../../../etc/passwd). (The "h1" procedure call by the way is generating errors - see /var/log/httpd/*error_log.) Are you sure that you need this script at all, by the way, rather than using plain HEADER / DirectoryIndex? - FChE --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline Content-length: 189 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFA8x7TVZbdDOm/ZT0RAtWdAJ0YUgGffFhIoN6EGV1xzr6Ab7cGewCfRTXW XDRoJ6jp9HLsI/i86FVZmNc= =S82/ -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC--