Sponsored by RSJ Software
 Just press your files on CD-ROM with RSJ CD-Writer Software for OS/2
                          http://www.rsj.de

****************************** WarpCast ******************************
Source: Trevor Smith (trevor@haligonian.com)
Moderator: Dirk Terrell (admin@os2ss.com)
**********************************************************************
 
The following note was sent to the Xitami mailing list 
Monday, September 21, 1998.

Xitami is a free and easily configurable web server for 
many platforms, including OS/2.  More info can be found at:

  http://www.imatix.com/ 


Security alert
--------------

There is the potential on non-Unix systems to open a 
security hole in Xitami whereby users can execute arbitrary 
CGI programs on the server.

This is not possible on default configurations.

The security hole is possible because Xitami allows the CGI
indicator, '/cgi-bin' to occur anywhere in the URL.  This 
is a valid CGI URL, assuming that 'program.pl' is an 
executable program, e.g. a Perl script:

  http://somehost/users/jondo/cgi-bin/program.pl

If you have configured Xitami so that a user can upload 
files into the HTTP area using FTP, then the user can also 
upload arbitrary CGI programs and execute them on your 
system.

The next release of Xitami will provide an option to 
disable the wildcard matching of '/cgi-bin' in the URL.  In 
existing versions, you should run Xitami under a user ID 
that does not have access to sensitive data, if the 
operating system allows this.

-
Pieter Hintjens
iMatix Corporation



----------------------------------------------------------------------
To subscribe, unsubscribe, or for more information on
WarpCast, visit: http://www.warpcast.com/
----------------------------------------------------------------------