Guys,
> $conffile = param('-f') unless $ENV{GATEWAY_INTERFACE};
I'm not really comfortable with this as a fix, since it still relies on
a CGI debugging feature to process arguments.
I've brought in the security team, which apparently should have been
done a long time ago. I suspect they'll either back me up or provide an
even better solution. But in any case, now we've got a crack team of
debian security dudes on the scene.
Security team: blosxom uses perl's CGI "param" function to process
command-line arguments. This function, when not running under a web
server, will pull in command-line arguments as though they were CGI
fields. It is clearly intended to be a debugging feature. But since
blosxom uses it to process things like "-f: path to configuration file"
and, predictably, the configuration file is just perl code, an attacker
can use this to run arbitrary perl code that already exists on the
server, as the CGI user.
I did a better write-up in the bug report.
Neale
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
