Some MacPerl CGIs Reveal Server Pathnames - 10 April 1999


This is evidently the fault of diagnostic output utilized by some Perl CGIs served via MacPerl and a webserver. When a CGI with diagnostic output encounters an error, it prints (displays) the cause of the error in the script in addition to the pathname of the file. The CGI is usually in the cgi-bin directory of the webserver, so this is not new. However, it gives the full path to the script. If the path is Server HD:Web Apps:Serving:Webstar 3.0:cgi-bin:dumbscript.cgi, then that will be displayed for all to see. This poses a problem. If a person with devious intent were to rename their own hard drive as Server HD and create a series of folders with the same names as the folders on the webserver's drives, and then make an alias of the end result, the alias can be uploaded to the webserver, and it will be fuctional because the paths are identical. A compressed alias uncompressed in a publically accessible area or in a trojan application could be devestating due to the personal and sensetive information possibly contained within.

We hope CGI developers will keep the paths to themselves from now on, and not make it public information.


MAO Enterprises ERT

Freaks Macintosh Archives - Web Site!