[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Cobalt wishlist

Subject: RE: [cobalt-users] Cobalt wishlist
From: "Dan" <dan@xxxxxxxxxxxxx>
Date: Thu Apr 6 06:16:45 2000

> Okay, now you really have my curiosity up.  Where's the condition
> that lets you write to files?  The biggest thing I can see is
> a possible CGI exploit in that since all users CGIs run as httpd,
> and all FP enabled webs are owned by httpd -- that a malicious
> user could put together a small cgi using the POST method to let
> any upload a file that posts to a directory tree outside your
> own directory.
>
I think it has to do with the ability to add a .htaccess file because of the
AllowOverride All. (?)
--
Dan Kriwitsky

References:
- Re: [cobalt-users] Cobalt wishlist
  - From: Robert G. Fisher

Prev by Date: [cobalt-users] how to secure your admin funcions using SSH
Next by Date: Re: [cobalt-users] apache-cross-site-scripting
Previous by thread: Re: [cobalt-users] Cobalt wishlist
Next by thread: Re: [cobalt-users] Cobalt wishlist

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index