[3419] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (Andrei D. Caraman)
Thu Oct 31 07:04:29 1996
Date: Thu, 31 Oct 1996 11:50:24 +0200 (EET)
From: "Andrei D. Caraman" <xax@arkenstone.pub.ro>
To: ben@algroup.co.uk
cc: www-security@ns2.rutgers.edu
In-Reply-To: <9610310010.aa22126@gonzo.ben.algroup.co.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 31 Oct 1996, Ben Laurie wrote:
> Andrei D. Caraman wrote:
> >
> > On Mon, 28 Oct 1996, Rich Brennan wrote:
> >
> > > I'd like to provide server side includes for my users, and I'd also like to
> > > provide SSI execution of CGI scripts, but disallow the "cmd" option of
> > > executing random scripts/programs. I feel that this is a decent compromise
> > > between user available functionality and Web server security. This is probably
> > > easy to do with the Apache server I'm using (what a great piece of work,
> > > Apache group!).
> > >
> > > Am I being naive here? Does this solution open me up to anything horrible
> > > (assuming that installing CGI programs is controlled). Any comments/insights
> > > would be greatly appreciated.
> >
> > afaik, in there is a directive called "ExecCGI" in apache, that will allow
> > <!--#exec cgi...> but not <!--#exec cmd...>. looks like there's no need
> > to hack the source.
> >
> > unfortunately i don't have the docs at hand, so i can't be 100% sure :(
>
> I don't have the docs but I do have the source ;-)
>
> The source appears to say that exec is either allowed or not allowed, and if
> it is allowed, then both cgi and cmd will be allowed.
>
> I could be wrong, though, and I have to admit I don't quite see the logic of
> it.
check out
http://www.apache.org./docs/core.html#options
(ExecCGI is an option, not a directive, as i have previously (mis)stated.)
Andrei D. Caraman ROEDUNET ---- Bucharest
Webmaster, hostmaster, ftpkeeper, sysadmin & many more
xax@arkenstone.pub.ro http://www.pub.ro/~xax/
- Geek code & PGP key available by WWW -
