[3426] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Nov 1 08:01:14 1996
To: ben@algroup.co.uk
Date: Fri, 1 Nov 1996 09:43:25 +0000 (GMT)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: xax@arkenstone.pub.ro, www-security@ns2.rutgers.edu
In-Reply-To: <9610310939.aa23442@gonzo.ben.algroup.co.uk> from "Ben Laurie" at Oct 31, 96 09:39:24 am
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Ben Laurie wrote:
>
> Andrei D. Caraman wrote:
> >
> > On Thu, 31 Oct 1996, Ben Laurie wrote:
> >
> > > Andrei D. Caraman wrote:
> > > >
> > > > On Mon, 28 Oct 1996, Rich Brennan wrote:
> > > >
> > > > > I'd like to provide server side includes for my users, and I'd also like to
> > > > > provide SSI execution of CGI scripts, but disallow the "cmd" option of
> > > > > executing random scripts/programs. I feel that this is a decent compromise
> > > > > between user available functionality and Web server security. This is probably
> > > > > easy to do with the Apache server I'm using (what a great piece of work,
> > > > > Apache group!).
> > > > >
> > > > > Am I being naive here? Does this solution open me up to anything horrible
> > > > > (assuming that installing CGI programs is controlled). Any comments/insights
> > > > > would be greatly appreciated.
> > > >
> > > > afaik, in there is a directive called "ExecCGI" in apache, that will allow
> > > > <!--#exec cgi...> but not <!--#exec cmd...>. looks like there's no need
> > > > to hack the source.
> > > >
> > > > unfortunately i don't have the docs at hand, so i can't be 100% sure :(
> > >
> > > I don't have the docs but I do have the source ;-)
> > >
> > > The source appears to say that exec is either allowed or not allowed, and if
> > > it is allowed, then both cgi and cmd will be allowed.
> > >
> > > I could be wrong, though, and I have to admit I don't quite see the logic of
> > > it.
> >
> >
> > check out
> >
> > http://www.apache.org./docs/core.html#options
> >
> > (ExecCGI is an option, not a directive, as i have previously (mis)stated.)
>
> Yeah. ExecCGI permits execution of CGI scripts. However, IncludesNOEXEC
> prevents _all_ exec commands. I don't see a combination which permits CGI
> but bans other execs.
>
> BTW, ScriptAlias bypasses the ExecCGI mechanism. Not that this helps!
More news: I am reliably informed that you can run CGIs with <!--#include
virtual...>, even when exec is disabled. I haven't checked this!
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
