Re: [MacPerl-WebCGI] Security hole?

[Bruce Van Allen <bva@cruzio.com>]

At 8:17 AM 6/28/00, Prodoehl, Pete wrote:
>I'm running Mac OS 8.6, Personal Web Sharing 1.5 and MacPerl 5.2.0r4
>
>If I run a MacPerl cgi by requesting this in my browser:
>
>    http://mymac/my.cgi
>
>It works as it should.
>
>If I request this: (note trailing slash)
>
>    http://mymac/my.cgi/
>
>It seems to translate the request to be:
>
>    /PNFIconGraphics/BinHexCacheFolder/-1-2126/my.cgi.hqx
>
>Which actually *downloads* the cgi.
>
>I've tested this in Netscape 4.7 and MSIE 5.0 on the Mac.
>
>Seems like a PWS bug to me... wondering if there's a fix.
>
>thoughts?
>

I tried this with several CGIs, running NetPresenz 4.1 as my local 
web server, and NS 4.7 as client. It 'downloads' not only a copy of 
the CGI, but also a binhexed version, correctly named with the .hqx 
extension. If I put more than the slash after the CGI's name, I got 
correct behavior -- the extra stuff was treated as PATH_INFO.

Tried the same thing with the same CGIs deployed on a UNIX server 
running Apache, and didn't get any funny business.

Hmmm.

I can imagine several spots along the execution path where this could 
be happening.

I fiddled a bit with my File Sharing settings, and managed to get 
some errors if I denied read access to Group and Everyone, but it 
still downloaded the scripts.

I use my local Mac as a test and development environment, not a 
public web server, so I don't have time to mess with my settings. But 
I'd suggest you or someone fully investigate settings in the Web 
Sharing, File Sharing, etc., control panels. (might want to write 
down all of your current settings, so you can restore them later...)

And perhaps there's mention of this at Apple's site.

Matthias? Any ideas?


1;
-- 

- Bruce

__Bruce_Van_Allen___bva@cruzio.com__Santa_Cruz_CA__

==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org