From setantae@submonkey.net  Fri Aug  3 10:01:13 2001
Return-Path: <setantae@submonkey.net>
Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200])
	by hub.freebsd.org (Postfix) with ESMTP id 095F437B405
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Aug 2001 10:01:13 -0700 (PDT)
	(envelope-from setantae@submonkey.net)
Received: from m258-mp1-cvx1b.bri.ntl.com ([62.255.9.2] helo=rhadamanth.hounds)
	by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2)
	id 15Si4i-00048j-00
	for FreeBSD-gnats-submit@freebsd.org; Fri, 03 Aug 2001 17:45:25 +0100
Received: from setantae by rhadamanth.hounds with local (Exim 3.22 #1)
	id 15SiLE-0000JO-00
	for FreeBSD-gnats-submit@freebsd.org; Fri, 03 Aug 2001 18:02:28 +0100
Message-Id: <E15SiLE-0000JO-00@rhadamanth.hounds>
Date: Fri, 03 Aug 2001 18:02:28 +0100
From: setantae <setantae@submonkey.net>
Sender: setantae <setantae@submonkey.net>
Reply-To: setantae <setantae@submonkey.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: http://www.uk.freebsd.org/cgi lets anyone view the cgi programs
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         29414
>Category:       misc
>Synopsis:       http://www.uk.freebsd.org/cgi lets anyone view the cgi programs
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 03 10:10:00 PDT 2001
>Closed-Date:    Mon Sep 24 04:31:05 PDT 2001
>Last-Modified:  Mon Sep 24 04:31:34 PDT 2001
>Originator:     setantae
>Release:        FreeBSD 4.4-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD rhadamanth.hounds 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #4: Fri Aug 3 12:49:51 BST 2001 root@rhadamanth.hounds:/usr/obj/usr/src/sys/RHADAMANTH i386


	
>Description:
	www.uk.freebsd.org has the incorrect config regarding the /cgi
	directory.
	Visiting http://www.uk.freebsd.org/cgi gives a directory index, and
	choosing any of the files therein shows you the source code instead
	of the output of their execution.
	Other mirrors do not allow directory indexing on that part of the site.

	In addition, www3.uk.freebsd.org allows you to view the source of any
	script in /cgi if you already know it's name.
	All other mirrors I have tried also allow this, though none other than
	www.uk.freebsd.org allow directory indexing.

>How-To-Repeat:
	Visit http://www.uk.freebsd.org/cgi in a browser.

>Fix:
	i) Change the way that mirroring works so that all mirrors redirect to
	   www.freebsd.org/cgi for these ?

	ii) Produce guidelines regarding httpd configuration for mirror sites ?


>Release-Note:
>Audit-Trail:

From: Josef Karthauser <joe@tao.org.uk>
To: setantae <setantae@submonkey.net>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: misc/29414: http://www.uk.freebsd.org/cgi lets anyone view the cgi programs
Date: Fri, 3 Aug 2001 18:30:28 +0100

 --7DO5AaGCk89r4vaK
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Fri, Aug 03, 2001 at 06:02:28PM +0100, setantae wrote:
 >=20
 > >Number:         29414
 > >Category:       misc
 > >Synopsis:       http://www.uk.freebsd.org/cgi lets anyone view the cgi p=
 rograms
 > >Confidential:   no
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    freebsd-bugs
 > >State:          open
 > >Quarter:       =20
 > >Keywords:      =20
 > >Date-Required:
 > >Class:          change-request
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Fri Aug 03 10:10:00 PDT 2001
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     setantae
 > >Release:        FreeBSD 4.4-PRERELEASE i386
 > >Organization:
 > >Environment:
 > System: FreeBSD rhadamanth.hounds 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #=
 4: Fri Aug 3 12:49:51 BST 2001 root@rhadamanth.hounds:/usr/obj/usr/src/sys/=
 RHADAMANTH i386
 >=20
 >=20
 > =09
 > >Description:
 > 	www.uk.freebsd.org has the incorrect config regarding the /cgi
 > 	directory.
 > 	Visiting http://www.uk.freebsd.org/cgi gives a directory index, and
 > 	choosing any of the files therein shows you the source code instead
 > 	of the output of their execution.
 > 	Other mirrors do not allow directory indexing on that part of the site.
 >=20
 > 	In addition, www3.uk.freebsd.org allows you to view the source of any
 > 	script in /cgi if you already know it's name.
 > 	All other mirrors I have tried also allow this, though none other than
 > 	www.uk.freebsd.org allow directory indexing.
 
 I don't see that this is a problem.  It's not a security issue as all of
 the cgi scripts are publicly available anyway.  The www.uk.freebsd.org
 machine has a global policy of allowing directory indexes, and I don't
 see that it's a problem that it's switched on for the FreeBSD mirror.
 
 Joe
 
 --7DO5AaGCk89r4vaK
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iEYEARECAAYFAjtq37MACgkQXVIcjOaxUBbbDgCfe9WgpnpEkxRFgsyeekElZfRp
 a04AoMfxVXWvjSI/84wSSTlvE687sjKj
 =n6Zp
 -----END PGP SIGNATURE-----
 
 --7DO5AaGCk89r4vaK--
State-Changed-From-To: open->closed 
State-Changed-By: joe 
State-Changed-When: Mon Sep 24 04:31:05 PDT 2001 
State-Changed-Why:  
Not determined to be real problem. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29414 
>Unformatted:
