Date: Fri, 3 Aug 2001 10:40:28 -0700 (PDT) From: Josef Karthauser <joe@tao.org.uk> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/29414: http://www.uk.freebsd.org/cgi lets anyone view the cgi programs Message-ID: <200108031740.f73HeSH53523@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/29414; it has been noted by GNATS. From: Josef Karthauser <joe@tao.org.uk> To: setantae <setantae@submonkey.net> Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: misc/29414: http://www.uk.freebsd.org/cgi lets anyone view the cgi programs Date: Fri, 3 Aug 2001 18:30:28 +0100 --7DO5AaGCk89r4vaK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 03, 2001 at 06:02:28PM +0100, setantae wrote: >=20 > >Number: 29414 > >Category: misc > >Synopsis: http://www.uk.freebsd.org/cgi lets anyone view the cgi p= rograms > >Confidential: no > >Severity: non-critical > >Priority: low > >Responsible: freebsd-bugs > >State: open > >Quarter: =20 > >Keywords: =20 > >Date-Required: > >Class: change-request > >Submitter-Id: current-users > >Arrival-Date: Fri Aug 03 10:10:00 PDT 2001 > >Closed-Date: > >Last-Modified: > >Originator: setantae > >Release: FreeBSD 4.4-PRERELEASE i386 > >Organization: > >Environment: > System: FreeBSD rhadamanth.hounds 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #= 4: Fri Aug 3 12:49:51 BST 2001 root@rhadamanth.hounds:/usr/obj/usr/src/sys/= RHADAMANTH i386 >=20 >=20 > =09 > >Description: > www.uk.freebsd.org has the incorrect config regarding the /cgi > directory. > Visiting http://www.uk.freebsd.org/cgi gives a directory index, and > choosing any of the files therein shows you the source code instead > of the output of their execution. > Other mirrors do not allow directory indexing on that part of the site. >=20 > In addition, www3.uk.freebsd.org allows you to view the source of any > script in /cgi if you already know it's name. > All other mirrors I have tried also allow this, though none other than > www.uk.freebsd.org allow directory indexing. I don't see that this is a problem. It's not a security issue as all of the cgi scripts are publicly available anyway. The www.uk.freebsd.org machine has a global policy of allowing directory indexes, and I don't see that it's a problem that it's switched on for the FreeBSD mirror. Joe --7DO5AaGCk89r4vaK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjtq37MACgkQXVIcjOaxUBbbDgCfe9WgpnpEkxRFgsyeekElZfRp a04AoMfxVXWvjSI/84wSSTlvE687sjKj =n6Zp -----END PGP SIGNATURE----- --7DO5AaGCk89r4vaK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108031740.f73HeSH53523>