[3403] in WWW Security List Archive
Re: SSIs
daemon@ATHENA.MIT.EDU (Andrew J. Hoag)
Tue Oct 29 14:29:29 1996
From: "Andrew J. Hoag" <ahoag@nas.nasa.gov>
Date: Tue, 29 Oct 1996 08:27:17 -0800
In-Reply-To: "Robert S. Muhlestein" <robertm@teleport.com>
"Re: SSIs" (Oct 28, 8:51pm)
To: "Robert S. Muhlestein" <robertm@teleport.com>,
www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Oct 28, 8:51pm, Robert S. Muhlestein wrote:
> Subject: Re: SSIs
> Someone suggested that using "include virtual" will work for CGI scripts.
> My experience has been that when the IncludedNOEXEC is set that, contrary to
> reason, this also deactivates calls to "include virtual" if the virtual is a
> path to a CGI script. From www.apache.org:
>
> IncludesNOEXEC
> Server-side includes are permitted, but the #exec command and
> #include of CGI scripts are disabled.
>
> I was very excited to discover "include virtual" some time ago only to
> meet with this disappointment. I would love to be wrong on this.
> Someone please tell me if I am.
This is definitely not a disappointment and I value this option. Allowing users
to use SSI without worry about them executing programs is one less thing I have
to monitor and worry about as a security vulnerability.
Could someone explain to me why exec'ing a cmd (any /bin/sh command) is worse
than exec'ing a CGI that exec's a cmd (interpreter of your choice)?
--
| Andrew Hoag | MS 258-6 | Voice: (415) 604-4972 |
| Network Engineer | Moffett Field, CA 94035 | Fax: (415) 604-4377 |
| High-Speed LAN +------------------------+---+--------------------+
| NAS Facility | http://www.gac.edu/~ahoag/ | ahoag@nas.nasa.gov |
--
