[3394] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (Robert S. Muhlestein)
Mon Oct 28 18:39:22 1996
Date: Mon, 28 Oct 1996 13:19:37 -0800 (PST)
From: "Robert S. Muhlestein" <robertm@teleport.com>
To: Rich Brennan <brennan@ConnActivity.ConnActivity.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199610281445.JAA16673@ConnActivity.ConnActivity.com>
Errors-To: owner-www-security@ns2.rutgers.edu
While at Teleport we simply commented out the "cmd" source code and
tied it to a precomile directive. I, for one, would very much like to
see the different server authors include this option. Something like a
"IncludesNoExecCMD" configuration similar to the "IncludeNoExec" option
available in most servers now. Why? Because if you are running Apache
you can make this little change without too much difficulty (you still
need to keep track of the hack and reimplement it in every Apache
upgrade). However, Netscape and the others, of course, don't allow you
to access or alter the source code (ahh, closed software. Long live
GNU!). I suppose something could be done using NSAPI plugins, but why
not just a simple configuration option.
This makes so much sense and I have read server administrators frustrations
not being able to use ANY SSIs in order to avoid the "exec cmd" while the
"exec cgi" is only as malicious as the CGI scripts you allow. In the case
of a monitored cgi-bin directory, you have control over what "exec cgi"s are
allowed.
Someone at Apache, Netscape and everywhere else in server land, please add
this trivial little option--or at least tell me why you won't. I have
submitted a simple little patch to Apache but have heard nothing (the patch
was for Apache 1.0 or I'd dig it up and repeat it here).
In short, Rich. No, no problems except for normal CGI security. Teleport
has allowed users to use SSIs without the "cmd" option for a year now
without adverse affect--other than the normal performance hit from SSIs
being parsed. I also highly recommend the X-bit-hack instead of forcing
everyone to change to .shtml extensions.
Here are a couple of Teleport resources that explain this to users:
http://www.teleport.com/support/webweave/SSI.shtml
http://www.teleport.com/support/webweave/server_parsing.shtml
Hope this helps...
----------------------------------------------------------------------
Robert S. Muhlestein
Web Technologist
NIKE, Inc.
Work: robert.muhlestein@nike.com
Personal: rmuhle@q7.com
Old: robertm@teleport.com
(Opinions and comments are my own, not NIKE's.)
----------------------------------------------------------------------
On Mon, 28 Oct 1996, Rich Brennan wrote:
> I'd like to provide server side includes for my users, and I'd also like to
> provide SSI execution of CGI scripts, but disallow the "cmd" option of
> executing random scripts/programs. I feel that this is a decent compromise
> between user available functionality and Web server security. This is probably
> easy to do with the Apache server I'm using (what a great piece of work,
> Apache group!).
>
> Am I being naive here? Does this solution open me up to anything horrible
> (assuming that installing CGI programs is controlled). Any comments/insights
> would be greatly appreciated.
>
>
>
> Rich
>
