httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Re: security hole with ScriptLog
Date Sun, 12 Jan 1997 05:12:19 GMT
On Sat, 11 Jan 1997, Brian Behlendorf wrote:

> A patch which closes stdin to the script as soon as the script starts
> sending stdout stuff would fix this,

how ?

The script I included doesn't capture STDIN, "ScriptLog" does it for you.

As for Alexei's comment about ScriptLog not really being for live servers,
that's all fine and well, but there's no mention of that to the unsuspecting

  Syntax: ScriptLog filename
  Default: none
  Context: resource config
  Status: mod_cgi 
  The ScriptLog directive sets the CGI script error logfile. If no
  ScriptLog is given, no error log is created. If given, any CGI errors
  are logged into the filename given as argument. If this is a
  relative file or path it is taken relative to the server root. 

- people reading that won't interpret the feature anywhere close to Alexei's

I certainly wouldn't brush the problem aside. It's a security hole with
very nasty consequences if abused. People testing Auth protected scripts
are going to leave passwords in the ScriptLog file. Security holes don't
get much worse that that.


View raw message