Date: Thu, 11 Jun 1998 01:42:46 +0200 (CEST)
From: Alvaro Martinez Echevarria <alvaro-httpd@lander.es>
To: Apache <new-httpd@apache.org>
Subject: Re: [PATCH] CGIs not working (PR#2354)
In-Reply-To: <19980610164939.A26867@io.com>
Message-ID: <Pine.LNX.3.96.980611013459.15136A-100000@leon.lander.es>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Wed, 10 Jun 1998, Manoj Kasichainula wrote:

> On Wed, Jun 10, 1998 at 11:01:06PM +0200, Alvaro Martinez Echevarria wrot=
e:
> > -both of the test CGIs are installed without execute permissions
> >  by "make install", so if you want to use them you need to
> >  manually do chmod. Shouldn't the installation do that?
>=20
> Although I don't know if this was the reasoning, it is probably not a
> good idea to enable any preinstalled CGI scripts by default, because
> it could lead to problems like the old phf bugs if security holes are
> found. If webmasters have to explicitly enable these scripts (which
> are only useful for testing anyway), they are much more likely to
> disable them when holes are found.

On the default configuration CGIs will not be enabled just by setting
execute permission, because the ScriptAlias directive is
commented out in srm.conf and src.conf.default. The problem comes
out if you set it up to allow CGIs: it won't work until you don't
chmod (and that's not documented anywhere, I think).
Regards.

=2E------------------------------------------------------------------.
|   Alvaro Mart=EDnez Echevarr=EDa   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      P=BA Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-91-5562883        |
                                 |      Fax: +34-91-5563001        |
                                 `---------------------------------'