httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Burry <dbu...@tagnet.org>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sat, 19 Aug 2006 18:05:01 GMT
Joshua Slive wrote:
> <note><directive>ScriptAlias</directive> is used to
> <strong>both</strong> map a URL to a directory <strong>and</strong>
> mark requests for that URL as pointing to CGI scripts.  It should not
> be used for directories that are already accessible from the web
> because they are under the <directive
> module="core">DocumentRoot</directive>, for example.  Instead, you can
> use:
> <example>
> &lt;Directory /usr/local/apache2/htdocs/cgi-dir &gt;<br />
> SetHandler cgi-script<br />
> Options ExecCGI<br />
> &lt;/Directory&gt;
> </example></note>

I like the idea of this documentation addition, plus maybe an 
explanation about why it is recommended on the security tips page 
(something about the differences between URLs and paths in the 
configuration, and the security implications of the difference, using 
CGI as an example), with a reference to it in the ScriptAlias section.

This is important to me because after reading this thread, I've realized 
I never thought about these particular security hazards of referencing 
something by their <Location> or Alias (which is always case sensitive 
and has different ways of referencing the same characters), vs by their 
<Directory> or <File> (which is case insensitive on some operating 
systems, and normalizes all those character differences before trying to 
match).  And now I need to go do an audit of my web servers to make sure...

Dave

Mime
View raw message