Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.hawaii.edu!ames!pendragon!news.msfc.nasa.gov!newsfeed.internetmci.com!in2.uu.net!omega.metrics.com!omega.metrics.com!not-for-mail From: polk@BSDI.COM (Jeff Polk) Newsgroups: comp.unix.bsd.bsdi.announce Subject: SECURITY: CERT Advisory CA-96.06 (NCSA/Apache CGI Example Code) Followup-To: comp.unix.bsd.bsdi.misc Date: 4 Apr 1996 12:35:39 -0500 Organization: BSDI Lines: 32 Sender: tomh@omega.metrics.com Approved: tomh@metrics.com Message-ID: <4k119b$igb@omega.metrics.com> NNTP-Posting-Host: omega.metrics.com BSDI does not install any binaries affected by this advisory, but the source code for the affected binaries is included as example code on both the binary and source versions of our 2.1 release. This advisory describes a problem in the example CGI code included with NCSA and Apache servers (the Apache server is included with the 2.1 BSDI release). The problem is with the escape_shell_cmd() function included in the util.c source file. BSDI does not install the affected example program ``phf'', but the sources for util.c (and the phf program) are included with the release in /usr/src/contrib/apache (on both the binary and source versions). BSDI recommends that customers using the example code as a basis for custom CGI programs ensure that they do not use the affected routine. See the CERT advisory itself for more information and suggested solutions. CERT advisories are available from CERT's anonymous ftp archive at: ftp://info.cert.org/pub/ Jeff -- [ /tom haapanen -- tomh@metrics.com -- software metrics inc -- waterloo, ont ] [ "walk a straight line through a cow pasture, and you'll step ] [ in some cow pies, but you'll get where you are going." -- joe kidd ]