[3396] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (sameer)
Tue Oct 29 00:56:17 1996
From: sameer <sameer@c2.net>
To: robertm@teleport.com (Robert S. Muhlestein)
Date: Mon, 28 Oct 1996 18:48:06 -0800 (PST)
Cc: brennan@ConnActivity.ConnActivity.com, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.92.961028125926.5878C-100000@linda.teleport.com> from "Robert S. Muhlestein" at "Oct 28, 96 01:19:37 pm"
Errors-To: owner-www-security@ns2.rutgers.edu
In apache you don't need to do any hack. Rather than using
"exec cgi" or "exec cmd" you can use "include virtual."
> While at Teleport we simply commented out the "cmd" source code and
> tied it to a precomile directive. I, for one, would very much like to
> see the different server authors include this option. Something like a
> "IncludesNoExecCMD" configuration similar to the "IncludeNoExec" option
> available in most servers now. Why? Because if you are running Apache
> you can make this little change without too much difficulty (you still
> need to keep track of the hack and reimplement it in every Apache
> upgrade). However, Netscape and the others, of course, don't allow you
> to access or alter the source code (ahh, closed software. Long live
> GNU!). I suppose something could be done using NSAPI plugins, but why
> not just a simple configuration option.
>
> This makes so much sense and I have read server administrators frustrations
> not being able to use ANY SSIs in order to avoid the "exec cmd" while the
> "exec cgi" is only as malicious as the CGI scripts you allow. In the case
> of a monitored cgi-bin directory, you have control over what "exec cgi"s are
> allowed.
>
> Someone at Apache, Netscape and everywhere else in server land, please add
> this trivial little option--or at least tell me why you won't. I have
> submitted a simple little patch to Apache but have heard nothing (the patch
> was for Apache 1.0 or I'd dig it up and repeat it here).
>
> In short, Rich. No, no problems except for normal CGI security. Teleport
> has allowed users to use SSIs without the "cmd" option for a year now
> without adverse affect--other than the normal performance hit from SSIs
> being parsed. I also highly recommend the X-bit-hack instead of forcing
> everyone to change to .shtml extensions.
>
> Here are a couple of Teleport resources that explain this to users:
>
> http://www.teleport.com/support/webweave/SSI.shtml
> http://www.teleport.com/support/webweave/server_parsing.shtml
>
> Hope this helps...
>
> ----------------------------------------------------------------------
> Robert S. Muhlestein
> Web Technologist
> NIKE, Inc.
> Work: robert.muhlestein@nike.com
> Personal: rmuhle@q7.com
> Old: robertm@teleport.com
> (Opinions and comments are my own, not NIKE's.)
> ----------------------------------------------------------------------
>
>
> On Mon, 28 Oct 1996, Rich Brennan wrote:
>
> > I'd like to provide server side includes for my users, and I'd also like to
> > provide SSI execution of CGI scripts, but disallow the "cmd" option of
> > executing random scripts/programs. I feel that this is a decent compromise
> > between user available functionality and Web server security. This is probably
> > easy to do with the Apache server I'm using (what a great piece of work,
> > Apache group!).
> >
> > Am I being naive here? Does this solution open me up to anything horrible
> > (assuming that installing CGI programs is controlled). Any comments/insights
> > would be greatly appreciated.
> >
> >
> >
> > Rich
> >
>
--
Sameer Parekh Voice: 510-986-8770
C2Net FAX: 510-986-8777
The Internet Privacy Provider
http://www.c2.net/ sameer@c2.net
