Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length

Search

 
Advanced search

8001 Posts in 1848 Topics- by 2099 Members - Latest Member: roi
« previous next »
Pages: [1]   Go Down
Print
Author Topic: Security hole in Calendar.pl  (Read 219 times)
0 Members and 1 Guest are viewing this topic.
repman
New Member
*

Karma: 0
Offline Offline

Posts: 0

Admin


WWW
« on: July 14, 2004, 02:48:00 PM »
Hi,

My ISP found a security hole in the script which allowed some person to drop a file in my web directory. Any one know how I can fix this? The server is running BSD

thanks,
Bill

----------------------------------
Here's the message from the the ISP SysAdmin:

However, this hack did not involve anyone knowing your password.  It was done by exploiting a security hole in your /cgi-bin/calendar/calendar.pl CGI script.  

<<Actual commands were deleted from view to avoid any duplication from other would be hackers>>

Obviously the script uses the value of the "fromTemplate" form variable as a filename without validating it first.  This is very dangerous because it is an open door into your account.  You should either remove the script,
or modify it to test the validity of all form data instead of trusting it implicitly.

[This message has been edited by repman (edited July 14, 2004).]
Logged
DanO
Moderator
Full Member
*****

Karma: 13
Offline Offline

Posts: 212

Please don't PM me. Post in the open forum.


WWW
« Reply #1 on: July 14, 2004, 05:12:00 PM »
** Any one know how I can fix this? **

Yes, upgrade to the current version. That is why it was released.

PS. It might be wise to delete the actual hack instructions from your previous message. No use giving idle hands an opportunity to try it out on some other unsuspecting user?

Dan O.
the Unofficial CalendarScript - Mods and Plugins site

------------------
Logged
Pages: [1]   Go Up
Print
« previous next »
Jump to: