[3386] in WWW Security List Archive
SSI #exec
daemon@ATHENA.MIT.EDU (Rich Brennan)
Mon Oct 28 12:48:26 1996
Date: Mon, 28 Oct 1996 09:45:01 -0500 (EST)
From: Rich Brennan <brennan@ConnActivity.ConnActivity.com>
To: www-security@ns2.rutgers.edu
Cc: brennan@ConnActivity.ConnActivity.com
Errors-To: owner-www-security@ns2.rutgers.edu
I'd like to provide server side includes for my users, and I'd also like to
provide SSI execution of CGI scripts, but disallow the "cmd" option of
executing random scripts/programs. I feel that this is a decent compromise
between user available functionality and Web server security. This is probably
easy to do with the Apache server I'm using (what a great piece of work,
Apache group!).
Am I being naive here? Does this solution open me up to anything horrible
(assuming that installing CGI programs is controlled). Any comments/insights
would be greatly appreciated.
Rich
