CGI path disclosure

Andreas Ericsson ae at op5.se
Mon Oct 4 15:33:56 CEST 2004

Previous message: patch: extinfo.cgi links
Next message: acknowledgment author
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ahoy.

A few of the cgi's print path and names to the logfiles they show. I 
suspect this is a debugging easter egg.

While providing little real value for an authorized user, it gives a 
potential attacker information about the system. That's always a Bad Thing.

Attached are two patches. One which completely removes the printing of 
the logfile name, and one which de-canonicalizes the name and prints 
only the actual filename without the leading path.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nagios-cgi_path_disclosure_cutpath.diff
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20041004/7acb5486/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nagios-cgi_path_disclosure_noprint.diff
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20041004/7acb5486/attachment-0001.ksh>

Previous message: patch: extinfo.cgi links
Next message: acknowledgment author
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list