Security Issue: default parameters for texis.exe

stephanie1 · Post by **stephanie1** » Thu Feb 07, 2002 5:58 pm

If the parameters for texis.exe are cut off in the url, or invalid parameters entered, an Error 002 is generated which displays the root directory for the domain. The sample below is from this site. This is obviously a security risk. The question is, how can texis.exe be configured to send a generic html file if it gets no parameters or unrecognized parameters?

----
Texis Web Script (Vortex) Copyright © 1996-2002 Thunderstone - EPI, Inc.
Commercial Server Version 4.00.1010184260 of Jan 4, 2002 (alpha-dec-osf4.0-64)

Error
002 /usr2/pub/httpd/texis/index: Can't open default script /usr2/pub/httpd/texis/index: No such file or directory

Post by **John** » Thu Feb 07, 2002 6:29 pm

This is intended to help the developer locate problems. With vhttpd the EntryScript can check the parameters (e.g. <stat $sourcepath>), and take the appropriate action.

Knowledge of the root directory should not be a security risk as it does not provide access to anything. If you have some other software with an access vulnerability, then hiding the root directory path only gives you security by obscurity, but chances are the other vulnerability can be exploited to find the path anyway.