On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote: > Hi Mark, > > Thank you for replying on this. > > Please find below servlet configuration > > <servlet> > <servlet-name>cgi</servlet-name> > <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> > <init-param> > <param-name>cgiPathPrefix</param-name> > <param-value>cgi-bin</param-value> > <param-name>executable</param-name> > <param-value>/usr/bin/perl</param-value> > </init-param> > <load-on-startup>5</load-on-startup> > </servlet>
That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do. > <servlet-mapping> > <servlet-name>cgi</servlet-name> > <url-pattern>/cgi-bin/*</url-pattern> > </servlet-mapping> > > The url we access is > http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments. See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html Look for enableCmdLineArguments See also CVE-2019-0232 if you are running on Windows. > Please note that the cgi files are all under maskedapp/cgi-bin of webapps > folder. > > Also I have observed that even if I don’t configure cgi servlet in web.xml, > the server is executing the cgi file but it is not able to execute getops > method. Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file. You'd normally only enable GCI in one location. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
