home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
view_source.txt
< prev
next >
Wrap
Text File
|
1998-07-17
|
703b
|
20 lines
I've just found a pretty ugly hole in view-source cgi-shell script.
This script, which can be found on some httpd distributions and
in SCO Skunkware cdroms, is designed to display a given document
located in $DOCUMENT_ROOT/$1 (where $DOCUMENT_ROOT is an
environment variable set by the server).
Unhopefully view-source does not properly check the arguments.
It is therefore possible to display any file on systems where
view-source is world executable by sending something like
'http://www.server.com/cgi-bin/view-source?../../../../../../../etc/passwd'
Obviously this kind of so-called cgi has nothing to do in
your cgi-bin directory... Maybe a day cgi will be secure ;)