[HECnet] Security hole in CSWS
Sampsa Laine
sampsa at mac.com
Mon Sep 21 20:17:02 PDT 2009
Guys,
I just installed CSWS (== Apache basically) on RHESUS and think I've found what amounts to potentially rather annoying security problem: CSWS doesn't seem to fully understand VMS file specifications, so it treats the semi-colon that indicates version numbers after an extension as part of the extension, thus allowing one to access the source code of CGIs or PHP scripts etc.
As an example, there is a plain vanilla CSWS install with CSWS_PHP running on RHESUS. If you access the following URL:
http://rhesus.sampsa.com/php/php_rules.php
You will get the script's output.
However, if you append ;1 to the filename, you get the PHP source instead:
http://rhesus.sampsa.com/php/php_rules.php;1
Which might contain database credentials, trade secrets, or even my Illuminati membership number...
What do you guys think, worth getting in touch with HP? I think this could be a potential disaster waiting to happen...
Sampsa
More information about the Hecnet-list
mailing list