ports/25272: Using lang/eperl as cgi/nph binary executor can give anybody the ability to view the content of any file
Sam Lawrance
lawrance at FreeBSD.org
Sun Apr 17 11:30:24 UTC 2005
The following reply was made to PR ports/25272; it has been noted by GNATS.
From: Sam Lawrance <lawrance at FreeBSD.org>
To: skywizard at time.net.my, bug-followup at FreeBSD.org
Cc: flz at FreeBSD.org
Subject: Re: ports/25272: Using lang/eperl as cgi/nph binary executor can
give anybody the ability to view the content of any file
Date: Sun, 17 Apr 2005 21:21:57 +1000
More information:
The behaviour outlined in the PR is described in both eperl
documentation and code, and is not FreeBSD specific.
When invoked as a cgi or nph-cgi executable with a script name as the
argument, the script is interpreted as an eperl script relative to the
server document root. The result is sent to the client.
Files ending in .html, .phtml, .ephtml, .epl, .pl, .cgi are interpreted
in this manner. The worst result is unintended disclosure of a file
under the document root and ending in one of those extensions.
Refs: ${WRKSRC}/NEWS, INSTALL.APACHE and eperl_main.c
More information about the freebsd-ports-bugs
mailing list