Date: Sun, 17 Apr 2005 11:30:23 GMT From: Sam Lawrance <lawrance@FreeBSD.org> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/25272: Using lang/eperl as cgi/nph binary executor can give anybody the ability to view the content of any file Message-ID: <200504171130.j3HBUN33088018@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/25272; it has been noted by GNATS.
From: Sam Lawrance <lawrance@FreeBSD.org>
To: skywizard@time.net.my, bug-followup@FreeBSD.org
Cc: flz@FreeBSD.org
Subject: Re: ports/25272: Using lang/eperl as cgi/nph binary executor can
give anybody the ability to view the content of any file
Date: Sun, 17 Apr 2005 21:21:57 +1000
More information:
The behaviour outlined in the PR is described in both eperl
documentation and code, and is not FreeBSD specific.
When invoked as a cgi or nph-cgi executable with a script name as the
argument, the script is interpreted as an eperl script relative to the
server document root. The result is sent to the client.
Files ending in .html, .phtml, .ephtml, .epl, .pl, .cgi are interpreted
in this manner. The worst result is unintended disclosure of a file
under the document root and ending in one of those extensions.
Refs: ${WRKSRC}/NEWS, INSTALL.APACHE and eperl_main.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504171130.j3HBUN33088018>