I believe the original test-cgi problem was first publicly posted via a L0pht Security Advisory in 1996. It also mentioned that several of the variables were under user control. Just for the record :) .mudge On Thu, 14 Jan 1999, Peter van Dijk wrote: > A paper I wrote somewhere in 1997(!) notes that CONTENT_TYPE, CONTENT_LENGTH, > HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, QUERY_STRING, > REQUEST_METHOD and SERVER_PROTOCOL are under control of the user. > > If you control your reverse and forward DNS, you could also theoretically > control REMOTE_HOST. > > Greetz, Peter. > -- > <squeezer> AND I AM GONNA KILL MIKE | Peter van Dijk > <squeezer> hardbeat, als je nog nuchter bent: | peterat_private > <squeezer> @date = localtime(time); | realtime security d00d > <squeezer> $date[5] += 2000 if ($date[5] < 37); | > <squeezer> $date[5] += 1900 if ($date[5] < 99); | * blah * >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:57 PDT