[5030] in WWW Security List Archive
WWW/CGI Security Concerns w/ File Upload
daemon@ATHENA.MIT.EDU (Matt Petteys)
Fri Apr 11 13:19:27 1997
Date: Thu, 10 Apr 1997 15:09:38 -0400 (EDT)
From: Matt Petteys <mpettey@bgnet.bgsu.edu>
To: www-security@ns2.rutgers.edu
In-Reply-To: <334C9382.5191@dial.pipex.com>
Errors-To: owner-www-security@ns2.rutgers.edu
I have a question for those of you who know the Apache web server. I
am working on a listing of resumes for students in my college which will
be searchable via a cgi search engine.. As part of this, I would like to
allow students to upload a copy of their resume using the Netscape file
upload features but want to make sure that all SSIs and cgi access in that
directory is turned off..
1. If this gets inserted into the access.conf file will it turn off all
of the options that I want in that directory...
<Directory /home/webhome/{resume_directory}>
Options None
</Directory>
or could I give myself the ability to change these options with .htaccess
by putting this in the access.conf
<Directory /home/webhome/{resume_directory}>
AllowOverride Options
</Directory>
and putting a .htaccess file in the directory containing
Options None
Are my interpretations of the Apache docs & configurations correct in
these instances..
2. Alternatively, because I don't have direct access to root.. Does
anyone have any suggestions to what I should search for when uploading the
files.. I know to remove any the SSIs and not let them download to a file
name that is mapped to a Handler.. Any other suggestions for possible
malicious coding...
Thanks for your time..
Matthew Petteys
mpettey@bgnet.bgsu.edu
