httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manoj Kasichainula <>
Subject Re: WIN32 CGI - SECURITY THREAT - 4 OF 4
Date Tue, 26 Jan 1999 05:36:20 GMT
On Tue, Jan 26, 1999 at 12:05:34AM -0500, wrote:
> If SCRIPTS have to be in a 'special area' then why not ALL EXECUTABLES
> including a 'trusted' COMMAND.COM and CMD.EXE. An Admin 
> could easily 'patch out' the dangerous 'legacy' options and be sure
> that when Apache pops-off 'CMD' or 'COMMAND'... it's doing it safely.
> At least this would give a Win32 Admin a CHANCE to lock the system
> down and still offer flexible CGI to customers.

So, this is not a security hole you're describing then. Nor is this
really a win32 specific problem in the way you're describing it.

You are looking for a way to change the standard restrictions on
users and CGI access without opening up your server.

I would suggest a port of suexec to Windows instead (though I really
don't understand the implications on that platform).


View raw message