httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <hart...@ooo.lanl.gov>
Subject includes security hole
Date Mon, 10 Apr 1995 15:01:03 GMT

Is there a way to block server side includes running "cmd", and
only allowing "cgi" ?

I bet lots of sites have restricted cgi directories but allow any
command to be executed via a "cmd" include.

If there's no way to block "cmd" while allowing "cgi", then Apache
should be fixed.

With so many sites allowing people to submit html (e.g. hyperreal and
our mailing list), there's a potential security hole here, just waiting
to be exploited.

robh

Mime
View raw message