> There seems to be a bug with the UBB under NT Actually, I would say the bug was a poor choice of extension on UBB's part. On NT, you most likely have mapped the .cgi extension to invoke perl to handle the script; so when you request 000001.cgi, perl is actually running and trying to read it. This is actually similar to the %20.pl bug published, wow, like a year ago? More than that? I remember Mr. Cooper over on his list talking about it. The reason why Apache/unix gives you a 500 error is lack of the shebang (#!/path/to/interpreter) line at the beginning, and also because the script doesn't return proper headers. If Apache was just as lax as IIS, you would get the same result. Granted, since those files contain passwords, they shouldn't even be readable by the webserver, but it's a catch-22. And the fact that they contain plaintext passwords is un-nerving. > How to fix? change the members path to something more like > xvc83nx9wy4nd0w74m3. That will solve it. Until someone guesses the path. Security through obscurity. It won't hurt, but don't put faith in the "that will solve it" schpeil. - rain forest puppy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:40 PDT