Code exposure on www5.us.freebsd.org
daniel.collins at earthlink.net
daniel.collins at earthlink.net
Tue Sep 23 22:17:40 PDT 2003
I'm not a CGI hacker (more like your typical PHP coder) but I noticed the following:
When I went to the following URL : http://www5.us.freebsd.org/cgi/query-pr-summary.cgi?query
The server returned to me the contents of the script instead of executing it, e.g.
#!/usr/bin/perl -T
# $FreeBSD: www/en/cgi/query-pr-summary.cgi,v 1.40 2003/09/02 09:46:27 dougb Exp $
sub escape($) { $_ = $_[0]; s/&/&/g; s/</</g; s/>/>/g; $_; }
$html_mode = 1 if $ENV{'DOCUMENT_ROOT'};
$self_ref = $ENV{'SCRIPT_NAME'};
($query_pr_ref = $self_ref) =~ s/-summary//;
$ENV{'PATH'} = '/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/bin';
$project = "FreeBSD";
$mail_prefix = "freebsd-";
$mail_unass = "freebsd-bugs";
$ports_unass = "ports-bugs";
$closed_too = 0;
[...... and so forth...]
I don't know if this is just a transient issue with your server configs or if this is something I should have PR'd but I hope I'm sending this to the right place and somebody finds it usefl. This seemed to work properly on www.freebsd.org, but I haven't tried any of the other mirrors.
BTW, is there an easy way to write that header line with the version and date in it? I'd like to use those in my critical files as well.
Peace,
-- Daniel
<><
More information about the freebsd-www
mailing list