<<< Date Index >>>     <<< Thread Index >>>

Re: Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows



This _is_ a vulnerability.

Even though the common convention is never to include 'cgi-bin' within the 
document-root, still, many companies put 'cgi-bin' inside the document-root 
assuming it to be a safe practice. 

No matter what the common convention is; the fact is, if the cgi-bin directory 
is marked as a Scripts folder with the ScriptAlias 'cgi-bin' (i.e. the same 
name as the directory), the user should be able to see the contents of the 
directory as scripts only. There shouldn't be any way to bypass the security 
mechanism to prevent execution of the files in that driectory.

IMHO, Apache must come up with a patch so that it can take care of the 
case-insensitivity of Windows systems rather than calling it a 
mis-configuration so as to provide more flexibility to the Apache admins.

- Naresh
--------------------------------------------------------------------------
> This is not a security vulnerability in the server, but rather a serious
> misconfiguration of the ScriptAlias Directive. ScriptAlias exists to
> allow CGI scripts to be stored in a directory outside of the document
> tree. Common convention is never to include cgi-bin within the document
> tree.
>
> Regards,
> Joe Orton