[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [thierry.laronde: cgi-scripts introduces potential security holes]

Hello,

On Sat, Jan 15, 2000 at 09:14:50PM +0100, Raphael Hertzog wrote:
[..]
> Did you find security holes ? If not how can you be sure that there are
> some ? If I remember well, some have already been discovered and most
> of the shell escape problems have been fixed. I think this bug shouldn't
> be marked as grave until a real problem is given.

Just give a look to the Bourne Shell script called finger.

The only test that is done, is that it isn't called without any argument.
Just call it with '-l' as an argument and *anybody* can see the very verbose
explanation of who is actually logged.

http://[host]/cgi-bin/finger?-l

The first step for the "bad guys" is to find a name.

So, I do think it's a security hole.

> Anyway I wouldn't mind if we remove this package from Debian. What do
> people think ?

We have discussed about this and it seems that people agree that the package
can be withdrawned ( I have proposed to work on a new one with the same name).

Best regs,
-- 
Thierry LARONDE
thierry.laronde@polynum.com
website : http://www.polynum.com
Reply to: