Return-Path: 
 <dev-return-54548-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 54902 invoked from network); 19 Aug 2006 18:05:16 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 19 Aug 2006 18:05:16 -0000
Received: (qmail 98680 invoked by uid 500); 19 Aug 2006 18:05:13 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 98621 invoked by uid 500); 19 Aug 2006 18:05:13 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 98610 invoked by uid 99); 19 Aug 2006 18:05:13 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Aug 2006 11:05:13 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [69.80.197.97] (HELO mail.tagnet.org) (69.80.197.97)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Aug 2006 11:05:12 -0700
Received: (qmail 12454 invoked by uid 0); 19 Aug 2006 17:49:02 -0000
Received: from unknown (HELO ?10.1.1.3?)
 (dburry@webmail.tagnet.org@68.234.46.70)
  by mail1.tagnet.org with ESMTPA; 19 Aug 2006 17:49:02 -0000
Message-ID: <44E752CD.1040709@tagnet.org>
Date: Sat, 19 Aug 2006 11:05:01 -0700
From: David Burry <dburry@tagnet.org>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: CGI Script Source Code Disclosure Vulnerability in Apache for
 Windows
References: <Pine.LNX.4.44.0608181011130.16765-100000@pingu.awe.com>
 <e498c1660608180653u64899d7bo8bb4176b35c4d68a@mail.gmail.com>
In-Reply-To: <e498c1660608180653u64899d7bo8bb4176b35c4d68a@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Joshua Slive wrote:
> <note><directive>ScriptAlias</directive> is used to
> <strong>both</strong> map a URL to a directory <strong>and</strong>
> mark requests for that URL as pointing to CGI scripts.  It should not
> be used for directories that are already accessible from the web
> because they are under the <directive
> module="core">DocumentRoot</directive>, for example.  Instead, you can
> use:
> <example>
> &lt;Directory /usr/local/apache2/htdocs/cgi-dir &gt;<br />
> SetHandler cgi-script<br />
> Options ExecCGI<br />
> &lt;/Directory&gt;
> </example></note>

I like the idea of this documentation addition, plus maybe an 
explanation about why it is recommended on the security tips page 
(something about the differences between URLs and paths in the 
configuration, and the security implications of the difference, using 
CGI as an example), with a reference to it in the ScriptAlias section.

This is important to me because after reading this thread, I've realized 
I never thought about these particular security hazards of referencing 
something by their <Location> or Alias (which is always case sensitive 
and has different ways of referencing the same characters), vs by their 
<Directory> or <File> (which is case insensitive on some operating 
systems, and normalizes all those character differences before trying to 
match).  And now I need to go do an audit of my web servers to make sure...

Dave