[15029] in bugtraq
Re: Problem with FrontPage on Cobalt RaQ2/RaQ3
daemon@ATHENA.MIT.EDU (Noah)
Wed May 24 17:01:32 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10005231350440.23217-100000@stanis.onastick.net>
Date: Tue, 23 May 2000 13:54:44 -0400
Reply-To: Noah <sitz@ONASTICK.NET>
From: Noah <sitz@ONASTICK.NET>
X-To: Chris Adams <cmadams@HIWAAY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000523100045.B11049@HiWAAY.net>
On Tue, 23 May 2000, Chris Adams wrote:
> You can bypass cgiwrap because the Apache config files have the line
> "AllowOverride All". All you have to do is create an .htaccess file
> with these lines in it:
>
> Options +ExecCGI
> AddHandler cgi-script .cgi
Ah, but you see, here's the kicker. Unless the FPE for Unix have changed
drastically since last I frobbed with them, they *require* "AllowOverride
All" in order to work correctly.
Which is not to say there may not be another fix for this particular
issue. You can use "order deny,allow" and "{deny,allow} from" directives
to limit access from trusted IPs, for starters. Which doesn't eliminate
the issue, but certainly contains it somewhat. This makes the assumption
that such a fix will function correctly in your environment, of course.
--noah
"information warfare is a growth industry"
- David Loundy
