Anybody can view the content of (any? ) file (especially cgi script) if the server using eperl (current version is 2.2.14) as server side scripting, especially as external "/cgi-bin/nph-eperl" Fix: Maybe we can tweak the server config? (I'm still doing some "brute attack" to my very own server) How-To-Repeat: browse to "http://any_server_using_eperl/cgi-bin/nph-eperl/cgi-bin/any_cgi_script" example: http://www.cdrom.com/cgi-bin/nph-eperl/cgi-bin/OpenCart.cgi (sorry)
Responsible Changed From-To: freebsd-ports->rse Over to maintainer
Responsible Changed From-To: rse->freebsd-ports-bugs rse no longer has time to look after this port, so reset the Responsible line. The port is available for adoption ...
State Changed From-To: open->feedback Have you sent a problem report to the upstream developers too? I'm not sure that's FreeBSD specific.
More information: The behaviour outlined in the PR is described in both eperl documentation and code, and is not FreeBSD specific. When invoked as a cgi or nph-cgi executable with a script name as the argument, the script is interpreted as an eperl script relative to the server document root. The result is sent to the client. Files ending in .html, .phtml, .ephtml, .epl, .pl, .cgi are interpreted in this manner. The worst result is unintended disclosure of a file under the document root and ending in one of those extensions. Refs: ${WRKSRC}/NEWS, INSTALL.APACHE and eperl_main.c
State Changed From-To: feedback->closed The problem described is not specific to FreeBSD. A warning has been added to pkg-message describing the consequences of using eperl in CGI mode.