On Thu, 21 Oct 1999, Aengus Lawlor wrote:
>
> The documentation says of CGI ON that "You can't choose any options that
> way though". This isn't my experience. I just typed in the following URL
>
> http://<server>/analog/analog.exe?c:\logs\jun.log+c:\logs\jul.log+%2bC"H
> OSTNAME+Test"+%2bO-+%2bC"CGI%20ON"
>
> and got a report for the two logs specified, and with the specified
> hostname.
Hmmm. It looks as if your server is passing those arguments in on the
command line. I didn't think that was normal behaviour, but I'll check on
my Apache this evening.
In this case, it's a serious security risk. The anlgform.pl filters out
certain dangerous arguments. For example, if someone specified HEADERFILE in
your example, they could view any file on the system. Don't keep it there!
--
Stephen Turner [EMAIL PROTECTED] http://www.statslab.cam.ac.uk/~sret1/
Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England
"Due to the conflict in Kosovo, we will not be showing the movie Wag the
Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------
