httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: Includes vs IncludesNoExec security issue - help needed
Date Thu, 23 Apr 2009 19:23:01 GMT

On 04/23/2009 02:31 PM, Joe Orton wrote:
> A security issue in the handling of the Includes and IncludesNoExec 
> directives was reported recently, and I'm after some help.
> The security issues are as follows:
> a) If "AllowOverride Options=IncludesNoEXEC" is configured in 
>    httpd.conf, a user can put "Options Includes" in an .htaccess
>    file and SSI will be enabled *with* exec= permitted
> b) If "AllowOverride Options=IncludesNoEXEC" is configured in 
>    httpd.conf, and "Options IncludesNoExec" is enabled in the same 
>    <Directory> context, then merely placing "Options +IncludesNoExec" in
>    an .htaccess file also results in SSI enabled with exec= permitted
> These are fixable but one question is left on how a particular 
> combination of Includes and IncludesNoExec is interpreted:
> - if httpd.conf has "Options Includes", and an .htaccess file has
>    "Options +IncludesNoExec" - should exec= be permitted in an SSI?
> I can argue this either way but am tending towards "no"; I'd very much 
> welcome further opinions on this.

As you I can find arguments for both, but "no" seems to be the solution
for the least surprise and more safe so we should not permit exec in this case.



View raw message