[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dwww 1.4.1-1 fixes security bug

I just uploaded release 1.4.1 of dwww.  It is now in Incoming
on master.

This release fixes a few minor bugs, and one major
SECURITY BUG.  I strongly recommend upgrading to this
version from all previous versions.

The CGI script, in /usr/lib/dwww/dwww.cgi, would accept 
backquotes and '$' characters, then pass them on to bash.  
This enables people to execute commands as the CGI user.  
This is particularily dangerous if someone configures their 
web server to run CGI programs as root. dwww.cgi was 
modified to convert all backquotes and dollar signs into 

Sorry I didn't catch this earlier.


 - Jim

Attachment: pgpLMRTlUt0cT.pgp
Description: PGP signature

Reply to: