httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Wiedmann" <>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Fri, 18 Aug 2006 15:44:15 GMT
Joshua Slive schrieb:

> On 8/18/06, Mark J Cox <> wrote:
> > I think the right response here is to make it more explicit in the
> > documentation that putting a ScriptAlias cgi-bin inside document root is
> > bad.
> Yes, this is a relatively common configuration error.  Although this
> does not make it a bug, it does point out that our documentation could
> be clearer.  Unfortunately, the basic problem is that people see the
> ScriptAlias in the default config file and assume that is the only way
> to activate cgi scripts, so regardless of what we put in the docs, it
> won't help that much.

I don't complete agree with you... IMHO the basic "problem" is:
The "URL-path" in ScriptAlias (like in Alias and Location) is compared case 
sensitive first, also on Windows. The "normal" URI to path translation 
(directory-path) not on Windows. That should be better explained in the 

ScriptAlias is not complete the same as an "Options ExecCGI". On Windows you 
can use something like that to avoid the problem:
ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/apache/cgi-bin$1"


View raw message