Subject: | |
From: | |
Reply To: | |
Date: | Thu, 6 Apr 2000 11:34:09 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Shane,
I believe this functionality change was done to prevent security problems, i.e.
relative path names of ../../.. etc being able to traverse backwards beyond the
top of the DocumentRoot and then back down into unauthorized directories (i.e.
../../../SYS/PUB/HPSWINFO).
This is an excellent reason why anybody running Apache 1.2.5 is STRONGLY
ENCOURAGED to migrate to the official HP 1.3.4 version available in 6.5 FOS or
downloadable for 6.0 from http://jazz.external.hp.com/src/apache.
In any case, you should change your action keyword to be just /cgi-bin/websec.
- Mark B.
Shane Castle wrote:
>
> My company has been using version 1.2.5 version of Apache for the last year
> without any problems. We have recently been testing MPE 6.0 and also
> installed the new version of Apache. Using the programs that are currently
> working, I started doing testing of the new version, and I've run into a
> problem.
>
> Previously I had a Post command that read as follows:
>
> <form method="post" action="../cgi-bin/websec" name="Security">
>
> This would find websec at /APACHE/PUB/cgi-bin/websec.
>
> This worked without a problem on the old version. The new version does not
> seem to be recognizing the .. and so it is looking for my program in
> APACHE/PUB/htdocs/cgi-bin/websec.
>
> I haven't been able to find an issue about this on the board, and I'm
> wondering if anyone else has seen this?
>
> Thanks for the help.
|
|
|