Uploaded dwww 1.4.1-1 (source i386) to master
Here's release 1.4.1 of dwww.
This release fixes a few minor bugs, and one major
SECURITY BUG. I strongly recommend upgrading to this
version from all previous versions.
The CGI script, in /usr/lib/dwww/dwww.cgi, would accept
backquotes and '$' characters, then pass them on to bash.
This enables people to execute commands as the CGI user.
This is particularily dangerous if someone configures their
web server to run CGI programs as root. dwww.cgi was
modified to convert all backquotes and dollar signs into
There will probably be a subsequent release with some
The next release after will focus on getting some of the
package information from dpkg into the system, and
improvements to the searching.
-----BEGIN PGP SIGNED MESSAGE-----
Date: Tue, 8 Apr 1997 12:00:21 -0700
Architecture: source i386
Distribution: frozen unstable
Maintainer: Jim Pick <firstname.lastname@example.org>
dwww - Read all on-line documentation via WWW
dwww (1.4.1-1) frozen unstable; urgency=high
* Fixed major security flaw: dwww.cgi would accept backquotes
and '$' characters, then pass them on to bash. This enables
people to execute commands as the CGI user. Particularily
dangerous if someone configures their web server to run
CGI programs as root. dwww.cgi was modified to convert all
backquotes and dollar signs into underscores.
* dwww.cgi: don't convert '+' characters into spaces - fixes
bug #8563 (Thanks Lars Wirzenius and Joost Witteveen)
* dwwwconfig: place quotes around DWWW_SERVERTYPE in
/etc/dwww/dwww.conf to cope with server names with space
such as CERN httpd - fixes bug #8525
* /etc/cron.daily/dwww: added line to cd to /var/spool/dwww
to prevent error message that someone was having (not me)
- fixed bug #8591
5ad16f1db79b1db3b58417ef4016b00d 597 doc optional dwww_1.4.1-1.dsc
d530f73c1f4f2121d98cbe3ca6502acc 53443 doc optional dwww_1.4.1.orig.tar.gz
00bfb615783e63927a88cf27c8b228de 20 doc optional dwww_1.4.1-1.diff.gz
c6024bc4cb877706c6fbf245ca581a68 46688 doc optional dwww_1.4.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----