[hylafax-devel] Re: Supported Platforms/Security mods?

To: Andy Sparrow <andy@geek4food.org>
Subject: [hylafax-devel] Re: Supported Platforms/Security mods?
From: Robert Colquhoun <rjc@trump.net.au>
Cc: <hylafax-devel@hylafax.org>
Date: Wed, 14 Jun 2000 04:28:00

At 11:04 AM 6/13/00 -0700, Andy Sparrow wrote:
> > The current plan for beta 3, in my head is:
> >          - suse ip-source routing patches
> >          - fix big manpage cgi-bin security hole..yes this is still not
> > done:-(
>
>Errr, I'm sorry, manpage cgi-bin security hole - I'd not previously
>heard about that. Any reference for that, keyword I can search on,
>whatever?
>
>What's the issue?
>


Try http://www.abcdef.com/cgi-bin/manpage?/etc/passwd

on any system with gnu man the systems password file is displayed.  Other 
systems might be vulnerable with the right combination of  backslashes and 
quoting.  The shell script need to be fixed to strip the extra characters 
out of the $QUERY_STRING.  There is a faq on w3c.org listing the characters 
that need to be removed:
         http://www.w3.org/Security/faq/wwwsf4.html#Q37


> >          - dmitrys patches.
> >          - stuff that i have forgot about
>
>Err, could you list those, please? ;-)

Don't worry i will know about all of them within 24 hours of posting the 
release.

- Robert




____________________ HylaFAX(tm) Developers Mailing List ____________________
 To unsub: mail -s unsubscribe hylafax-devel-request@hylafax.org < /dev/null

Prev by Date: [hylafax-devel] Re: Supported Platforms/Security mods?
Next by Date: [hylafax-devel] Re: 4.1beta2 FreeBSD port
Prev by thread: [hylafax-devel] Re: Supported Platforms/Security mods?
Next by thread: [hylafax-devel] Re: Supported Platforms/Security mods?
Index(es):
- Main
- Thread

Report any problems to webmaster@hylafax.org

HylaFAX is a trademark of Silicon Graphics Corporation.
Internet connectivity for hylafax.org is provided by:
VirtuALL Private Host Services