Re: [MacPerl-WebCGI] Security hole?

[Leland Beaudrot <leland@arpsynod.org>]

Bruce Van Allen wrote:
> 
> At 8:17 AM 6/28/00, Prodoehl, Pete wrote:
> >I'm running Mac OS 8.6, Personal Web Sharing 1.5 and MacPerl 5.2.0r4
> >
> >If I run a MacPerl cgi by requesting this in my browser:
> >
> >    http://mymac/my.cgi
> >
> >It works as it should.
> >
> >If I request this: (note trailing slash)
> >
> >    http://mymac/my.cgi/
> >
> >It seems to translate the request to be:
> >
> >    /PNFIconGraphics/BinHexCacheFolder/-1-2126/my.cgi.hqx
> >
> >Which actually *downloads* the cgi....
> 
> I tried this with several CGIs, running NetPresenz 4.1 as my local
> web server, and NS 4.7 as client. It 'downloads' not only a copy of
> the CGI, but also a binhexed version, correctly named with the .hqx
> extension. If I put more than the slash after the CGI's name, I got
> correct behavior -- the extra stuff was treated as PATH_INFO....

I found this to work, at least returning an error message rather than
downloading the script:

1) Create a script containing only the shebang line "#!/usr/in/perl" and
save it as a CGI script named "error.cgi" in your cgi-bin folder.

2) In the Web Sharing control panel, select Preferences under the Edit
menu and click the Actions tab.  Create a New action "Launch at suffix"
using the suffix ".cgi/" and select "error.cgi" as the application.

If anyone adds a slash after a CGI file name they will get an error
message rather than a download.
-- 
Leland R. Beaudrot
A fisher of men using the Net.  >((((("> ~Jesus
http://www.arpsynod.org/

==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org