dwww 1.4.1-1 fixes security bug

To: debian-devel@lists.debian.org, debian-security@lists.debian.org
Subject: dwww 1.4.1-1 fixes security bug
From: Jim Pick <jim@jimpick.com>
Date: Tue, 08 Apr 1997 12:59:50 -0700
Message-id: <[🔎] 199704081959.MAA10423@fleming.jimpick.com>

I just uploaded release 1.4.1 of dwww.  It is now in Incoming
on master.

This release fixes a few minor bugs, and one major
SECURITY BUG.  I strongly recommend upgrading to this
version from all previous versions.

The CGI script, in /usr/lib/dwww/dwww.cgi, would accept 
backquotes and '$' characters, then pass them on to bash.  
This enables people to execute commands as the CGI user.  
This is particularily dangerous if someone configures their 
web server to run CGI programs as root. dwww.cgi was 
modified to convert all backquotes and dollar signs into 
underscores.

Sorry I didn't catch this earlier.

Cheers,

 - Jim

Attachment: pgpLMRTlUt0cT.pgp
Description: PGP signature

Reply to:

Prev by Date: Re: Networked systems
Next by Date: Re: Networked systems
Previous by thread: Re: It's two CDs... so far
Next by thread: [linux-security] amd 920824upl102 ignores the nodev option (fwd)
Index(es):
- Date
- Thread