Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FormHandler.cgi

From: info () TOTALNETNH NET (Kevin Hemenway)
Date: Fri, 3 Dec 1999 10:51:02 -0500

Regarding previous messages concerning FormHandler.cgi on 11/8/99 and
11/15/99 and how four lines of code can send anyone your passwd file:

I had previous stated that you could add '..' to the
@RESTRICTED_ATTACH_DIRS. This is incorrect and actually breaks the
'email_template' (and possibly others) feature. You can however use the
following:

    @RESTRICTED_ATTACH_DIRS = ('/etc/','\.\.');

This made 'email_template' work again, but could have broken something else.

Kevin Hemenway
-- -----------------------------------------------------------------
Total Net NH, LLC              EMAIL: <info () totalnetnh net>
15 Pleasant St., Suite 11      WEBSITE: <http://www.totalnetnh.net/>
Concord, NH 03301              PHONE: (603) 225-8422
--------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: