lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060817073519.3832.qmail@securityfocus.com>
Date: 17 Aug 2006 07:35:19 -0000
From: nareshhacker@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: CGI Script Source Code Disclosure Vulnerability in Apache
 for Windows

This _is_ a vulnerability.

Even though the common convention is never to include 'cgi-bin' within the document-root, still, many companies put 'cgi-bin' inside the document-root assuming it to be a safe practice. 

No matter what the common convention is; the fact is, if the cgi-bin directory is marked as a Scripts folder with the ScriptAlias 'cgi-bin' (i.e. the same name as the directory), the user should be able to see the contents of the directory as scripts only. There shouldn't be any way to bypass the security mechanism to prevent execution of the files in that driectory.

IMHO, Apache must come up with a patch so that it can take care of the case-insensitivity of Windows systems rather than calling it a mis-configuration so as to provide more flexibility to the Apache admins.

- Naresh
--------------------------------------------------------------------------
> This is not a security vulnerability in the server, but rather a serious
> misconfiguration of the ScriptAlias Directive. ScriptAlias exists to
> allow CGI scripts to be stored in a directory outside of the document
> tree. Common convention is never to include cgi-bin within the document
> tree.
>
> Regards,
> Joe Orton

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ