[3417] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Oct 30 22:56:04 1996
To: "Andrei D. Caraman" <xax@arkenstone.pub.ro>
Date: Thu, 31 Oct 1996 00:10:34 +0000 (GMT)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.LNX.3.93.961030095122.2944F-100000@arkenstone.pub.ro> from "Andrei D. Caraman" at Oct 30, 96 09:55:00 am
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Andrei D. Caraman wrote:
>
> On Mon, 28 Oct 1996, Rich Brennan wrote:
>
> > I'd like to provide server side includes for my users, and I'd also like to
> > provide SSI execution of CGI scripts, but disallow the "cmd" option of
> > executing random scripts/programs. I feel that this is a decent compromise
> > between user available functionality and Web server security. This is probably
> > easy to do with the Apache server I'm using (what a great piece of work,
> > Apache group!).
> >
> > Am I being naive here? Does this solution open me up to anything horrible
> > (assuming that installing CGI programs is controlled). Any comments/insights
> > would be greatly appreciated.
>
> afaik, in there is a directive called "ExecCGI" in apache, that will allow
> <!--#exec cgi...> but not <!--#exec cmd...>. looks like there's no need
> to hack the source.
>
> unfortunately i don't have the docs at hand, so i can't be 100% sure :(
I don't have the docs but I do have the source ;-)
The source appears to say that exec is either allowed or not allowed, and if
it is allowed, then both cgi and cmd will be allowed.
I could be wrong, though, and I have to admit I don't quite see the logic of
it.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
