Re: FormHandler.cgi

From: Kevin Hemenway (infoat_private)
Date: Fri Dec 03 1999 - 07:51:02 PST

Next message: Casper Dik: "Re: Solaris 2.x chkperm/arp vulnerabilities"

Previous message: David Litchfield (Cerberus Information Security, Ltd): "A note on CIS and some new tools"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Regarding previous messages concerning FormHandler.cgi on 11/8/99 and
11/15/99 and how four lines of code can send anyone your passwd file:

I had previous stated that you could add '..' to the
@RESTRICTED_ATTACH_DIRS. This is incorrect and actually breaks the
'email_template' (and possibly others) feature. You can however use the
following:

    @RESTRICTED_ATTACH_DIRS = ('/etc/','\.\.');

This made 'email_template' work again, but could have broken something else.

Kevin Hemenway
-- -----------------------------------------------------------------
Total Net NH, LLC              EMAIL: <infoat_private>
15 Pleasant St., Suite 11      WEBSITE: <http://www.totalnetnh.net/>
Concord, NH 03301              PHONE: (603) 225-8422
--------------------------------------------------------------------

Next message: Casper Dik: "Re: Solaris 2.x chkperm/arp vulnerabilities"
Previous message: David Litchfield (Cerberus Information Security, Ltd): "A note on CIS and some new tools"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:49 PDT