|
Gossamer Threads DBMan Information Leakage Vulnerability
Solution: Gossamer Threads has released the following solution. Verify that $db_debug is turned off in the configuration file and replace cgierr in the db.cgi file with the following: sub cgierr { # -------------------------------------------------------- # Displays any errors and prints out FORM and ENVIRONMENT # information. Useful for debugging. if (!$html_headers_printed) { print "Content-type: text/html\n\n"; $html_headers_printed = 1; } print "DBMan encountered an internal error. "; if ($db_debug) { "</font></p> <div align="left"><pre><font size="3" face="Arial, Helvetica, sans-serif">\n\nCGI ERROR\n==========================================\n"; $_[0] and print "Error Message : $_[0]\n"; $0 and print "Script Location : $0\n"; $] and print "Perl Version : $]\n"; $db_setup and print "Setup File : $db_setup.cfg\n"; $db_userid and print "User ID : $db_userid\n"; $db_uid and print "Session ID : $db_uid\n"; print "\nForm Variables\n-------------------------------------------\n"; foreach $key (sort keys %in) { my $space = " " x (20 - length($key)); print "$key$space: $in{$key}\n"; } print "\nEnvironment Variables\n-------------------------------------------\n"; foreach $env (sort keys %ENV) { my $space = " " x (20 - length($env)); print "$env$space: $ENV{$env}\n"; } print "\n</font></pre> </div><p><font size="3" face="Arial, Helvetica, sans-serif">"; } else { print "Please enable debugging to view."; } exit -1; } |
|
|
Privacy Statement |
