-----BEGIN PGP SIGNED MESSAGE----- The following note was sent to the Xitami mailing list Monday, September 21, 1998. Xitami is a free and easily configurable web server for many platforms, including OS/2. More info can be found at: http://www.imatix.com/ Security alert - -------------- There is the potential on non-Unix systems to open a security hole in Xitami whereby users can execute arbitrary CGI programs on the server. This is not possible on default configurations. The security hole is possible because Xitami allows the CGI indicator, '/cgi-bin' to occur anywhere in the URL. This is a valid CGI URL, assuming that 'program.pl' is an executable program, e.g. a Perl script: http://somehost/users/jondo/cgi-bin/program.pl If you have configured Xitami so that a user can upload files into the HTTP area using FTP, then the user can also upload arbitrary CGI programs and execute them on your system. The next release of Xitami will provide an option to disable the wildcard matching of '/cgi-bin' in the URL. In existing versions, you should run Xitami under a user ID that does not have access to sensitive data, if the operating system allows this. - - Pieter Hintjens iMatix Corporation - --- CB -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQB1AwUBNgcPC0wjhOwytkrlAQHS/AMAh/ISjaEZLgd202g4oUPKO8pZmtyvgEH1 cvq06ujH758UGPv2VjtTMk2GQhdVPRvYMrjZ5r6mk6KObS0PJItz9x5pr0hqoouo H7YCzbhTAABeV2sacnsCQklg/MkBp426 =MJ7A -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:14 PDT