I just uploaded release 1.4.1 of dwww. It is now in Incoming on master. This release fixes a few minor bugs, and one major SECURITY BUG. I strongly recommend upgrading to this version from all previous versions. The CGI script, in /usr/lib/dwww/dwww.cgi, would accept backquotes and '$' characters, then pass them on to bash. This enables people to execute commands as the CGI user. This is particularily dangerous if someone configures their web server to run CGI programs as root. dwww.cgi was modified to convert all backquotes and dollar signs into underscores. Sorry I didn't catch this earlier. Cheers, - Jim
Attachment:
pgpLMRTlUt0cT.pgp
Description: PGP signature