httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Fri, 18 Aug 2006 13:53:29 GMT
On 8/18/06, Mark J Cox <mark@awe.com> wrote:
> See
> http://marc.theaimsgroup.com/?l=bugtraq&m=115527423727441&w=2
>
> which basically reports "if you put cgi-bin under docroot then you can
> view cgi scripts on OS which have case insensitive filesystems"
>
> Joe replied:
> http://marc.theaimsgroup.com/?l=bugtraq&m=115574424402976&w=2
> and I submitted that as an "DISPUTED" to CVE
>
> But the original reporter disagrees:
> http://marc.theaimsgroup.com/?l=bugtraq&m=115583509231594&w=2
>
> I think the right response here is to make it more explicit in the
> documentation that putting a ScriptAlias cgi-bin inside document root is
> bad.

Yes, this is a relatively common configuration error.  Although this
does not make it a bug, it does point out that our documentation could
be clearer.  Unfortunately, the basic problem is that people see the
ScriptAlias in the default config file and assume that is the only way
to activate cgi scripts, so regardless of what we put in the docs, it
won't help that much.

Something like the following should probably be added to the docs for
ScriptAlias (and perhaps in the CGI tutorial):

<note><directive>ScriptAlias</directive> is used to
<strong>both</strong> map a URL to a directory <strong>and</strong>
mark requests for that URL as pointing to CGI scripts.  It should not
be used for directories that are already accessible from the web
because they are under the <directive
module="core">DocumentRoot</directive>, for example.  Instead, you can
use:
<example>
&lt;Directory /usr/local/apache2/htdocs/cgi-dir &gt;<br />
SetHandler cgi-script<br />
Options ExecCGI<br />
&lt;/Directory&gt;
</example></note>

Joshua.

Mime
View raw message