Bug 29414

Summary: http://www.uk.freebsd.org/cgi lets anyone view the cgi programs
Product: Base System Reporter: setantae <setantae>
Component: miscAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.4-PRERELEASE   
Hardware: Any   
OS: Any   

Description setantae 2001-08-03 18:10:00 UTC 
	www.uk.freebsd.org has the incorrect config regarding the /cgi
	directory.
	Visiting http://www.uk.freebsd.org/cgi gives a directory index, and
	choosing any of the files therein shows you the source code instead
	of the output of their execution.
	Other mirrors do not allow directory indexing on that part of the site.

	In addition, www3.uk.freebsd.org allows you to view the source of any
	script in /cgi if you already know it's name.
	All other mirrors I have tried also allow this, though none other than
	www.uk.freebsd.org allow directory indexing.

Fix: 

i) Change the way that mirroring works so that all mirrors redirect to
	   www.freebsd.org/cgi for these ?

	ii) Produce guidelines regarding httpd configuration for mirror sites ?
How-To-Repeat: 	Visit http://www.uk.freebsd.org/cgi in a browser.
Comment 1 Josef Karthauser 2001-08-03 18:30:28 UTC 
On Fri, Aug 03, 2001 at 06:02:28PM +0100, setantae wrote:
> 
> >Number:         29414
> >Category:       misc
> >Synopsis:       http://www.uk.freebsd.org/cgi lets anyone view the cgi programs
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       low
> >Responsible:    freebsd-bugs
> >State:          open
> >Quarter:        
> >Keywords:       
> >Date-Required:
> >Class:          change-request
> >Submitter-Id:   current-users
> >Arrival-Date:   Fri Aug 03 10:10:00 PDT 2001
> >Closed-Date:
> >Last-Modified:
> >Originator:     setantae
> >Release:        FreeBSD 4.4-PRERELEASE i386
> >Organization:
> >Environment:
> System: FreeBSD rhadamanth.hounds 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #4: Fri Aug 3 12:49:51 BST 2001 root@rhadamanth.hounds:/usr/obj/usr/src/sys/RHADAMANTH i386
> 
> 
> 	
> >Description:
> 	www.uk.freebsd.org has the incorrect config regarding the /cgi
> 	directory.
> 	Visiting http://www.uk.freebsd.org/cgi gives a directory index, and
> 	choosing any of the files therein shows you the source code instead
> 	of the output of their execution.
> 	Other mirrors do not allow directory indexing on that part of the site.
> 
> 	In addition, www3.uk.freebsd.org allows you to view the source of any
> 	script in /cgi if you already know it's name.
> 	All other mirrors I have tried also allow this, though none other than
> 	www.uk.freebsd.org allow directory indexing.


I don't see that this is a problem.  It's not a security issue as all of
the cgi scripts are publicly available anyway.  The www.uk.freebsd.org
machine has a global policy of allowing directory indexes, and I don't
see that it's a problem that it's switched on for the FreeBSD mirror.

Joe
Comment 2 joe freebsd_committer freebsd_triage 2001-09-24 12:31:05 UTC 
State Changed
From-To: open->closed

Not determined to be real problem.