| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060816091544.GA32003@redhat.com> Date: Wed, 16 Aug 2006 10:15:44 +0100 From: Joe Orton <jorton@...hat.com> To: bugtraq@...urityfocus.com Subject: Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows On Wed, Aug 09, 2006 at 10:15:42AM -0000, susam.pal@...il.com wrote: > ADVISORY NAME: > CGI Script Source Code Disclosure Vulnerability in Apache for Windows ... > But a similar configuration isn't safe in Windows. For instance:- > > # Sample Unsafe Configuration for Windows > DocumentRoot "C:/Documents and Settings/webmaster/site/docroot" > ScriptAlias /cgi-bin/ "C:/Documents and Settings/webmaster/site/docroot/cgi-bin/" > > If the scripts' directory (represented by 'ScriptAlias') lies inside > the document-root directory (represented by 'DocumentRoot') and the > name of the script-alias is same as that of the directory containing > the scripts then the attacker can obtain the source code of the CGI > scripts by making a direct request to 'http://[target]/CGI-BIN/foo'. This is not a security vulnerability in the server, but rather a serious misconfiguration of the ScriptAlias Directive. ScriptAlias exists to allow CGI scripts to be stored in a directory outside of the document tree. Common convention is never to include cgi-bin within the document tree. Regards, Joe Orton
Powered by blists - more mailing lists