* Auriemma Luigi <kaino3at_private> [010604 10:37] wrote: [...] > The bug is really simple. If the attacker insert an unicode space (%20) > after the script file, the server think that the file requested is not a > cgi script and for this it shown the source; this is an example: > > http://host/remote_login.pl%20 > > > And the result is the source of "remote_login.pl". [...] This also appears to be a bug in the web server shipped with 3.5. While this worked as expected for the NT version, I was not able to duplicate the problem with the Solaris or Linux versions. Michael Grice <griceat_private> Berbee Information Networks
This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 13:37:24 PDT