www-sql is a cgi program to access a mysql database via a http server and create easyly some pages from a query result. That program acts as a filter, using PATH_TRANSLATED feature to access html files on your server tree, and it translates <! sql ...> tags into html viewable text, letting other parts of the html file unchanged. The problem is that www-sql performs nothing to verify if a user can access the intended PATH_TRANSLATED file. So, suppose your htdocs tree is /home/htdocs/ you have a subdirectory /home/htdocs/protected/ in which you have you have restricted access using .htaccess file. In your browser, enter URL http://your.server/protected/something.html: you get prompted a username and a password. Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html: you get the requested file www-sql is available into Incoming sunsite directory Christophe Leroy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:11 PDT