httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux
Date Thu, 02 Nov 1995 22:33:48 GMT
On Thu, 2 Nov 1995, Andrew Wilson wrote:
> > >URL exhibiting problem:
> Mmm, well this seems to work, ie you get binary.  I can't find any other
> scripts that do the same thing though.  eg:
> doesn't misbehave in any way.  What's so special about access_count?

WHOA.  Hold the horses.  First:

I have 

  ScriptAlias /cgi-bin /usr/local/

in the srm.conf file for hyperreal's web server, which means it applies 
to as well.  In that directory I have, for example, 
"printenv", so

works as expected.

Second:  There is a /cgi-bin directory off the docroot for, with Randy's name on it.  it's used in a couple pages 
being inlined like so:

  <!--#exec cmd="/export/pub/apache/cgi-bin/access_count"-->

What's the result of having a cgi-bin directory off the docroot, even 
though "cgi-bin" is a scriptalias somewhere else?  The answer is that 
while URL's like 

look for 


the URL

looks for the *file*


Nothing says that file should be executed.  I believe the original bug 
poster may have been confused as to the purpose of the cgi-bin directory, 
as indeed I would be, which he possibly saw by looking at

Conclusion: the only "bug" is that Scriptalias doesn't match *pattern*, 
just pattern*.


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--  http://www.[hyperreal,organic].com/

View raw message