Package: lighttpd
Version: 1.4.19-2
Severity: important
Tags: security
X-Debbugs-CC: [EMAIL PROTECTED]
--- Please enter the report below this line. ---
The new configuration included with lighttpd contains the following
lines:
-----snip-----
cgi.assign = (
".pl" => "/usr/bin/perl",
".php" => "/usr/bin/php-cgi",
".py" => "/usr/bin/python",
)
-----snap-----
These lines make it possible for scripts outside of /cgi-bin/ and w/o
exec permission to be executed by their respective (according to the
mapping) interpreters. Most likely the scripts will show some errors
like the following in the error log:
-----snip-----
Traceback (most recent call last):
File "/<path>/<file>.py", line 12, in <module>
import wx, math, time
ImportError: No module named wx
-----snap-----
Which is one of my scripts I hosted within my data files - i do not
have any cgi's for that matter.
Please correct the 10-cgi.conf in conf-available/ to a safe default.
Cheers, Marcus
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.24-1-686
Debian Release: lenny/sid
500 unstable ftp.de.debian.org
500 unstable deb.opera.com
1 experimental ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
============================================-+-==============
libattr1 (>= 2.4.41-1) | 1:2.4.41-1
libbz2-1.0 | 1.0.5-0.1
libc6 (>= 2.7-1) | 2.7-10
libfam0 |
libldap-2.4-2 (>= 2.4.7) | 2.4.7-6.1
libpcre3 (>= 7.4) | 7.6-2
libssl0.9.8 (>= 0.9.8f-5) | 0.9.8g-8
libterm-readline-perl-perl | 1.0302-1
lsb-base (>= 3.0-3) | 3.2-12
mime-support | 3.40-1.1
zlib1g (>= 1:1.1.4) | 1:1.2.3.3.dfsg-12
--
/* name>Marcus Fritzsch www>fritschy.de gnupg>98A1D365 icq>53118621
jabber>[EMAIL PROTECTED] /-------------------------------------
----------------------------------/ */s(c,t){return isalpha(c)&&t?s(65-c
&&97-c?c-1:c+25,t-1):c;}main(){for(;;)putchar(s(getchar(),13));}
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
