httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject RE: [PATCH] security_tips.html
Date Tue, 02 Oct 2001 15:37:43 GMT

> -----Original Message-----
> From: Allan Liska []

> As Joshua suggested, I have separated the content changes from the
> formatting changes.  Listed below are the proposed content changes for the
> Server Side Includes section.  If they are acceptable, I will continue
> working the rest of the security tips documentation, according to the
> proposal outlined earlier.


> Any feedback is greatly appreciated.

See below.

> +<p>Server Side Includes (SSI), present a server administrator with
> +several potential security risks.</p>
> +
> +<p>
> +The first risk is the increased load on the server.  All SSI-enabled
> +files have to be parsed by Apache, whether or not there are any SSI
> +directives included within the file.  While this load increase is
> +minor, in a shared server environment it can become significant.</p>
> +
> +<p>
> +SSI files also pose the same risks that are associated with CGI scripts
> +in general.  A user can execute any CGI script through an SSI-enabled
> +file.  That should definitely give server administrators pause.</p>

I would say "A user can execute any CGI script or program" (see exec cmd).
You might also want to say "under the userid of the User and Group
configured in httpd.conf" and then mention how suexec mitigates this

> +
> +<p>
> +There are ways to enhance the security of SSI files, while still taking
> +advantage of the benefits they provide.</p>
> +
> +<p>
> +To start, never enable SSI for files with .html or .htm extension.
> +This is especially true in a shared, or heavily trafficked, server
> +environment.  SSI-enabled files should have a separate extension,
> +such as the conventional .shtml.  This helps keep server load at
> a minimum.
> +</p>

That is too strongly worded.  Using a different extension is a good idea for
security and management reasons, but you should remove "never".  If the
server is managed carefully, you can parse .html files without risk.  (You
have to realize that some people take what is written in the docs VERY
literally.  If you say "never" they assume the world will fall in if you try
it.  Of course, other people assume "never" means "go for it" ;-)

> +
> +<p>Another solution is to disable the #exec command withing  SSI. To do
> +that you use the IncludesNOEXEC option to the
> +<a href="../mod/core.html#options">Options</a> directive.</p>

I don't think the example directory block is necessary, but I would
explicitly state that you should use IncludesNoExec IN PLACE OF Includes.

Thanks again for being presistent about this!


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message