[3421] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Oct 31 07:50:44 1996
To: "Andrei D. Caraman" <xax@arkenstone.pub.ro>
Date: Thu, 31 Oct 1996 09:39:24 +0000 (GMT)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: ben@algroup.co.uk, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.LNX.3.93.961031114518.473B-100000@arkenstone.pub.ro> from "Andrei D. Caraman" at Oct 31, 96 11:50:24 am
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Andrei D. Caraman wrote:
>
> On Thu, 31 Oct 1996, Ben Laurie wrote:
>
> > Andrei D. Caraman wrote:
> > >
> > > On Mon, 28 Oct 1996, Rich Brennan wrote:
> > >
> > > > I'd like to provide server side includes for my users, and I'd also like to
> > > > provide SSI execution of CGI scripts, but disallow the "cmd" option of
> > > > executing random scripts/programs. I feel that this is a decent compromise
> > > > between user available functionality and Web server security. This is probably
> > > > easy to do with the Apache server I'm using (what a great piece of work,
> > > > Apache group!).
> > > >
> > > > Am I being naive here? Does this solution open me up to anything horrible
> > > > (assuming that installing CGI programs is controlled). Any comments/insights
> > > > would be greatly appreciated.
> > >
> > > afaik, in there is a directive called "ExecCGI" in apache, that will allow
> > > <!--#exec cgi...> but not <!--#exec cmd...>. looks like there's no need
> > > to hack the source.
> > >
> > > unfortunately i don't have the docs at hand, so i can't be 100% sure :(
> >
> > I don't have the docs but I do have the source ;-)
> >
> > The source appears to say that exec is either allowed or not allowed, and if
> > it is allowed, then both cgi and cmd will be allowed.
> >
> > I could be wrong, though, and I have to admit I don't quite see the logic of
> > it.
>
>
> check out
>
> http://www.apache.org./docs/core.html#options
>
> (ExecCGI is an option, not a directive, as i have previously (mis)stated.)
Yeah. ExecCGI permits execution of CGI scripts. However, IncludesNOEXEC
prevents _all_ exec commands. I don't see a combination which permits CGI
but bans other execs.
BTW, ScriptAlias bypasses the ExecCGI mechanism. Not that this helps!
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
