eperl: rotected files can be read by unauthorised users

To: debian-security@lists.debian.org
Subject: eperl: rotected files can be read by unauthorised users
From: Steve Dodd <steved@loth.demon.co.uk>
Date: Sat, 12 Feb 2000 18:15:17 +0000
Message-id: <[🔎] 20000212181517.A24696@loth.demon.co.uk>

eperl can be used to read files that the web server access control rules
deny access to. The problem is that a symlink to eperl is installed in
/usr/lib/cgi-bin, so any protected file ending in an extension which eperl
decides to handle (including .html), can read. E.g. if Apache's DocumentRoot
is set to /var/www, and /var/www/protected is restricted to access by certain
hosts, it is possible to read /var/www/protected/index.html by requesting
/cgi-bin/nph-eperl/protected/index.html.

eperl, and other interpreters / server-side languages should probably not
be installed in /usr/lib/cgi-bin; perhaps debian-policy should mention this
in the section on web servers and cgi-bin (at the moment it says that all
CGI scripts should be there).

Unfortunately moving interpreters from /usr/lib/cgi-bin will prevent their use
as a server-side language in Apache using the AddType and Action directives,
so it's back to shebang lines, I guess.

-- System Information
Debian Release: 2.2
Kernel Version: Linux lamia 2.2.14 #1 Tue Feb 1 20:45:54 GMT 2000 i686 unknown

Versions of the packages eperl depends on:
hi  libc6          2.1.2-13       GNU C Library: Shared libraries and Timezone
ii  libgdbmg1      1.7.3-26.2     GNU dbm database routines (runtime version).
ii  perl-5.005     5.005.03-5.3   Larry Wall's Practical Extracting and Report

-- 
"Damaged people are dangerous, they know they can survive"

Reply to:

Prev by Date: new mysql-server for *slink*
Next by Date: denial of service attack for X/esound?
Previous by thread: new mysql-server for *slink*
Next by thread: denial of service attack for X/esound?
Index(es):
- Date
- Thread