httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Includes vs IncludesNoExec security issue - help needed
Date Thu, 23 Apr 2009 19:23:01 GMT


On 04/23/2009 02:31 PM, Joe Orton wrote:
> A security issue in the handling of the Includes and IncludesNoExec 
> directives was reported recently, and I'm after some help.
> 
> The security issues are as follows:
> 
> a) If "AllowOverride Options=IncludesNoEXEC" is configured in 
>    httpd.conf, a user can put "Options Includes" in an .htaccess
>    file and SSI will be enabled *with* exec= permitted
> 
> b) If "AllowOverride Options=IncludesNoEXEC" is configured in 
>    httpd.conf, and "Options IncludesNoExec" is enabled in the same 
>    <Directory> context, then merely placing "Options +IncludesNoExec" in
>    an .htaccess file also results in SSI enabled with exec= permitted
> 
> These are fixable but one question is left on how a particular 
> combination of Includes and IncludesNoExec is interpreted:
> 
> - if httpd.conf has "Options Includes", and an .htaccess file has
>    "Options +IncludesNoExec" - should exec= be permitted in an SSI?
> 
> I can argue this either way but am tending towards "no"; I'd very much 
> welcome further opinions on this.

As you I can find arguments for both, but "no" seems to be the solution
for the least surprise and more safe so we should not permit exec in this case.

Regards

RĂ¼diger


Mime
View raw message