Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: irixpf~1.txt

Irix pfdisplay-CGI

Date: Tue, 17 Mar 1998 00:06:48 +0100
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Subject: IRIX performer_tools bug

    Do you remember the /cgi-bin/handler bug?

    Well, more of the same:

    IRIX 6.2
    performer_tools.sw.webtools (Performer API Search Tool 2.2)

    Bug: Anyone can read files (as 'nobody') from your system:


    lynx -source \

    for instance :-)


*** pfdispaly.cgi.O     Mon Mar 16 23:13:34 1998
--- pfdispaly.cgi       Mon Mar 16 23:36:29 1998
*** 14,19 ****
--- 14,20 ----
  $fullcgiroot = "/var/www$cgiroot";

  $shortfilepath = "$ARGV[0]";
+ $shortfilepath =~ s/\.{2,}//g;
  $fullfilepath = "$maindocroot$shortfilepath";
  ($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;

    Note: I haven't tested the other Performer CGI's too much,
    maybe they will have more nasty bugs.
    (in fact, pfdispaly.cgi opens "$ARGV[0]" with "$maindocroot"
    prepended; but somewhere 'dangerous' characters are escaped)

    There is another bug at pfsearch.cgi; which lacks of
    print "Content-type: text/html\n\n";
    line, so you get garbage in your browser.

    (and even worse, you have to enable JavaScript if you want
    to use this set of CGIs...)

    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH