httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject cvs commit: httpd-docs-1.3/htdocs/manual/misc security_tips.html
Date Fri, 05 Oct 2001 21:23:46 GMT
slive       01/10/05 14:23:46

  Modified:    htdocs/manual/misc security_tips.html
  Some more detail about SSI security.
  With some changes by Chris Pepper, Cliff Woolley, and Joshua Slive.
  Submitted by:	Allan Liska <>
  Revision  Changes    Path
  1.26      +42 -8     httpd-docs-1.3/htdocs/manual/misc/security_tips.html
  Index: security_tips.html
  RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/misc/security_tips.html,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -d -b -u -r1.25 -r1.26
  --- security_tips.html	2001/10/02 15:40:07	1.25
  +++ security_tips.html	2001/10/05 21:23:46	1.26
  @@ -95,15 +95,49 @@
       <h2><a id="ssi" name="ssi">Server Side Includes</a></h2>
  -    <p>Server side includes (SSI) can be configured so that users
  -    can execute arbitrary programs on the server. That thought
  -    alone should send a shiver down the spine of any sys-admin.</p>
  +    <p>Server Side Includes (SSI) present a server administrator with
  +    several potential security risks.</p>
  -    <p>One solution is to disable that part of SSI. To do that you
  -    use the IncludesNOEXEC option to the <a
  -    href="../mod/core.html#options">Options</a> directive.</p>
  +    <p>
  +    The first risk is the increased load on the server.  All SSI-enabled
  +    files have to be parsed by Apache, whether or not there are any SSI
  +    directives included within the files.  While this load increase is
  +    minor, in a shared server environment it can become significant.</p>
  -    <p></p>
  +    <p>
  +    SSI files also pose the same risks that are associated with CGI
  +    scripts in general.  Using the "exec cmd" element, SSI-enabled
  +    files can execute any CGI script or program under the permissions
  +    of the user and group Apache runs as, as configured in httpd.conf.
  +    That should definitely give server administrators pause.</p>
  +    <p>
  +    There are ways to enhance the security of SSI files while still taking
  +    advantage of the benefits they provide.</p>
  +    <p>To isolate the damage a wayward SSI file can cause, a server
  +    administrator can enable <a href="../docs/suexec.html"
  +    >suexec</a> as described in the <a href="#cgi">CGI in General</a>
  +    section.</p>
  +    <p>
  +    Enabling SSI for files with .html or .htm extensions can be
  +    dangerous.  This is especially true in a shared, or high traffic,
  +    server environment.  SSI-enabled files should have a separate
  +    extension, such as the conventional .shtml.  This helps keep
  +    server load at a minimum and allows for easier management of
  +    risk.</p>
  +    <p>Another solution is to disable the ability to run scripts and
  +    programs from SSI pages. To do this replace <code>Includes</code>
  +    with <code>IncludesNOEXEC</code> in the <a
  +    href="../mod/core.html#options">Options</a> directive.  Note that
  +    users may still use &lt;--#include virtual="..." --&gt; to execute
  +    CGI scripts if these scripts are in directories desginated by a <a
  +    href="../mod/mod_alias.html#ScriptAlias">ScriptAlias</a>
  +    directive.</p>
       <hr />
       <h2><a id="nsaliasedcgi" name="nsaliasedcgi">Non Script Aliased

View raw message