[3409] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (Andrei D. Caraman)
Wed Oct 30 05:09:40 1996
Date: Wed, 30 Oct 1996 09:55:00 +0200 (EET)
From: "Andrei D. Caraman" <xax@arkenstone.pub.ro>
To: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.92.961028125926.5878C-100000@linda.teleport.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 28 Oct 1996, Rich Brennan wrote:
> I'd like to provide server side includes for my users, and I'd also like to
> provide SSI execution of CGI scripts, but disallow the "cmd" option of
> executing random scripts/programs. I feel that this is a decent compromise
> between user available functionality and Web server security. This is probably
> easy to do with the Apache server I'm using (what a great piece of work,
> Apache group!).
>
> Am I being naive here? Does this solution open me up to anything horrible
> (assuming that installing CGI programs is controlled). Any comments/insights
> would be greatly appreciated.
afaik, in there is a directive called "ExecCGI" in apache, that will allow
<!--#exec cgi...> but not <!--#exec cmd...>. looks like there's no need
to hack the source.
unfortunately i don't have the docs at hand, so i can't be 100% sure :(
regards,
--
Andrei D. Caraman ROEDUNET ---- Bucharest
Webmaster, hostmaster, ftpkeeper, sysadmin & many more
xax@arkenstone.pub.ro http://www.pub.ro/~xax/
- Geek code & PGP key available by WWW -
