httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@wired.com>
Subject Re: includes security hole
Date Mon, 10 Apr 1995 23:24:33 GMT
On Mon, 10 Apr 1995, Robert S. Thau wrote:
>    Is there a way to block server side includes running "cmd", and
>    only allowing "cgi" ?
> 
> I believe IncludesNoExec blocks both.

But he wants the granularity of blocking one and allowing the other.  I 
can see his point, though I'm tempted to suggest we backburner it for now.

>    I bet lots of sites have restricted cgi directories but allow any
>    command to be executed via a "cmd" include.
> 
>    If there's no way to block "cmd" while allowing "cgi", then Apache
>    should be fixed.
> 
>    With so many sites allowing people to submit html (e.g. hyperreal and
>    our mailing list), there's a potential security hole here, just waiting
>    to be exploited.
> 
> Only if includes are processed in the submitted HTML... even with
> XBITHACK on, I think that whatever is managing the HTMLified
> discussion forum would have to arrange for this specifically, either
> by writing into .shtml files, or by setting the xbit.

Right - when it's HTML that's being sucked up by a CGI script for 
formatting, httpd won't be able to parse it for server-side includes 
anyways.  FTP uploaders also can't set the X bit, so places (like 
hyperreal) set with that should be safe.  

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/


Mime
View raw message