Bugtraq mailing list archives
CGIs that accept file: URL schemes
From: Benjamin Elijah Griffin <bgriffin () CDDB COM>
Date: Thu, 27 Jul 2000 12:48:08 -0700
Some CGI programs operate on webpages and accept URLs of the page to operate upon. This is all fine and good until the program does not limit the URL schemes it accepts properly. (The scheme is the part before the first colon, eg 'http', 'https', and 'mailto'.) Some months ago I noticed that there is a well known HTML validator which is quite willing to accept file: URLs. It then reads in the local file and attempts to validate it as HTML, printing error messages along the way that reveal the content of the file. This allows remote reading of any file on the system available with the privileges of the webserver. I notified the maintainer of this validation service in mid-March. I notice today it says it was last updated the end of June, but it still validates <URL:file:///etc/fstab> when requested. I don't want to disclose the validator that does this, because I think it affects only a single system, but I do want to expose the problem of 'file' scheme URLs. Benjamin
Current thread:
- CGIs that accept file: URL schemes Benjamin Elijah Griffin (Jul 29)