Re: [thierry.laronde: cgi-scripts introduces potential security holes]
Hello,
On Sat, Jan 15, 2000 at 09:14:50PM +0100, Raphael Hertzog wrote:
[..]
> Did you find security holes ? If not how can you be sure that there are
> some ? If I remember well, some have already been discovered and most
> of the shell escape problems have been fixed. I think this bug shouldn't
> be marked as grave until a real problem is given.
Just give a look to the Bourne Shell script called finger.
The only test that is done, is that it isn't called without any argument.
Just call it with '-l' as an argument and *anybody* can see the very verbose
explanation of who is actually logged.
http://[host]/cgi-bin/finger?-l
The first step for the "bad guys" is to find a name.
So, I do think it's a security hole.
> Anyway I wouldn't mind if we remove this package from Debian. What do
> people think ?
We have discussed about this and it seems that people agree that the package
can be withdrawned ( I have proposed to work on a new one with the same name).
Best regs,
--
Thierry LARONDE
thierry.laronde@polynum.com
website : http://www.polynum.com
Reply to: