httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Wiedmann" <carsten_st...@gmx.de>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Fri, 18 Aug 2006 15:44:15 GMT
Joshua Slive schrieb:

> On 8/18/06, Mark J Cox <mark@awe.com> wrote:
> > I think the right response here is to make it more explicit in the
> > documentation that putting a ScriptAlias cgi-bin inside document root is
> > bad.
>
> Yes, this is a relatively common configuration error.  Although this
> does not make it a bug, it does point out that our documentation could
> be clearer.  Unfortunately, the basic problem is that people see the
> ScriptAlias in the default config file and assume that is the only way
> to activate cgi scripts, so regardless of what we put in the docs, it
> won't help that much.

I don't complete agree with you... IMHO the basic "problem" is:
The "URL-path" in ScriptAlias (like in Alias and Location) is compared case 
sensitive first, also on Windows. The "normal" URI to path translation 
(directory-path) not on Windows. That should be better explained in the 
manual.

BTW:
ScriptAlias is not complete the same as an "Options ExecCGI". On Windows you 
can use something like that to avoid the problem:
ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/apache/cgi-bin$1"

Regards,
Carsten



Mime
View raw message