httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [PATCH 49220] mod_fcgid - restrict arbitrary command execution from .htaccess files
Date Fri, 20 Sep 2013 20:33:05 GMT
On Fri, Sep 20, 2013 at 4:31 PM, Benjamin Coddington <bcodding@uvm.edu>wrote:

> Hello everyone,
>
> We're looking at moving our shared hosting execution behind mod_fcgid and
> suexec, but we need to continue to allow our users .htaccess 'Files'
> overrides.  The current mod_fcgid allows users to execute arbitrary
> commands by configuring the FcgidAccessChecker, FcgidAuthenticator,
> FcgidAuthorizer, and FcgidWrapper directives within .htaccess files.
>
>  - https://issues.apache.org/bugzilla/show_bug.cgi?id=49220
>
> I've approached a fix by creating a directive that would disable the
> application of those directives within .htaccess files if set; that patch
> has been submitted to the httpd bug 49220.
>
> You might shrewdly wonder "how can this matter - this is cgi after all,
> we're just going to try to exec the resulting file!", but we're able to get
> away from that by disabling ExecCGI globally and setting it per-request in
> separate module which also ensures the request is mapped to our specific
> FcgidWrapper.
>
> I see mod_fcgid 2.3.8 is closing in a few days; any chance to sneak this
> in?  Thanks for your time and consideration.
>
> Ben


Unless someone else speaks up, I'll spend some time on it.


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message