[HECnet] Security hole in CSWS

Sampsa Laine sampsa at mac.com
Tue Sep 22 22:43:21 PDT 2009 

Just in any case anyone is interested in what's actually in that directory, here's a listing:

RHESUSSYS$ dir apache$root:[php.scripts]

Directory APACHE$SPECIFIC:[PHP.SCRIPTS]

SYSINFO.DIR;1                 0.50KB   22-SEP-2009 21:21:35.44

Total of 1 file, 0.50KB

Directory APACHE$COMMON:[PHP.SCRIPTS]

PHP_CALENDAR.PHP;1             1KB   27-JUL-2009 10:33:18.95
PHP_INFO.PHP;3               0.50KB   22-SEP-2009 19:19:48.26
PHP_INFO.PHP;2               0.50KB   22-SEP-2009 19:13:20.18
PHP_INFO.PHP;1               0.50KB   27-JUL-2009 10:33:19.11
PHP_ODBC.PHP;1               0.50KB   27-JUL-2009 10:33:19.44
PHP_OPENVMS.PHP;1               7KB   27-JUL-2009 10:33:19.62
PHP_RULES.PHP;1             0.50KB   27-JUL-2009 10:33:19.79

Total of 7 files, 10KB

Grand total of 2 directories, 8 files, 11KB



Also, how does one generate a file with version number -1?

Sampsa


On 22 Sep 2009, at 22:40, Sampsa Laine wrote:

Hmm...The rule seems to somehow work for .1:

	http://rhesus.sampsa.com/php/php_rules.php.1
	http://rhesus.sampsa.com/php/php_rules.php.0
	http://rhesus.sampsa.com/php/php_rules.php.-1

As well as -1:

	http://rhesus.sampsa.com/php/php_rules.php;-1

And ;0 is covered by the rewrite anyhow:

	http://rhesus.sampsa.com/php/php_rules.php;0


Any other separator legal for version numbers? Am I missing anything else?

Sampsa



On 22 Sep 2009, at 22:36, Johnny Billquist wrote:

Sampsa Laine wrote:
Just to clarify, are we now talking about the flaw in CSWS_PHP or just general syntax for VMS filenames? Or both?

Both. Since we're talking about legal filenames in VMS, it means that CSWS_PHP must understand them as well, or else they are just easy ways of getting around your rewrite rules.

	Johnny

Sampsa
On 22 Sep 2009, at 22:25, Mark Abene wrote:
For the record, both [] and <> will work on TOPS-20 for directory names.
Brackets [] are naturally preferable because they don't require a shift,
which is much more comfortable when typing quickly.


Johnny Billquist wrote:
Mark Wickens wrote:
Hope you guys don't mind but I mentioned this to the Hoff and he pointed
out that a period '.' can be used validly instead of a ';' as a
separator between the version number and the filename.

Indeed. You can also use <> instead of [] as directory brackets.
All because of confusion within DEC at the time when they tried to
decide on a standard for all DEC OSes.
(Because of this confusion, TOPS-20 changed it's syntax to be <> and .,
but then VMS reverted the decision, but in the end they had to allow
both variants, to keep something like compatibility between VMS and
TOPS-20. RSX also allows the same.)

Johnny



-- 
Johnny Billquist                                   || "I'm on a bus
                                                              ||   on a psychedelic trip
email: bqt at softjar.se                         ||   Reading murder books
pdp is alive!                                         ||   tryin' to stay hip" - B. Idol

More information about the Hecnet-list mailing list