httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Allan Liska <>
Subject [PATCH] security_tips.html
Date Mon, 01 Oct 2001 23:04:11 GMT

As Joshua suggested, I have separated the content changes from the
formatting changes.  Listed below are the proposed content changes for the
Server Side Includes section.  If they are acceptable, I will continue
working the rest of the security tips documentation, according to the
proposal outlined earlier.

Any feedback is greatly appreciated.

Index: httpd-docs-1.3/htdocs/manual/misc/security_tips.html
RCS file: /home/cvspublic/httpd-docs-1.3/htdocs/manual/misc/security_tips.html,v
retrieving revision 1.23
diff -u -r1.23 security_tips.html
--- httpd-docs-1.3/htdocs/manual/misc/security_tips.html	2001/09/24 01:36:41	1.23
+++ httpd-docs-1.3/htdocs/manual/misc/security_tips.html	2001/10/01 23:06:59
@@ -70,13 +70,40 @@
 <H2>Server Side Includes</H2>
-<P>Server side includes (SSI) can be configured so that users can execute
-arbitrary programs on the server. That thought alone should send a shiver
-down the spine of any sys-admin.<P>
-One solution is to disable that part of SSI. To do that you use the
-IncludesNOEXEC option to the <A HREF="../mod/core.html#options">Options</A>
+<p>Server Side Includes (SSI), present a server administrator with
+several potential security risks.</p>
+The first risk is the increased load on the server.  All SSI-enabled
+files have to be parsed by Apache, whether or not there are any SSI
+directives included within the file.  While this load increase is
+minor, in a shared server environment it can become significant.</p>
+SSI files also pose the same risks that are associated with CGI scripts
+in general.  A user can execute any CGI script through an SSI-enabled
+file.  That should definitely give server administrators pause.</p>
+There are ways to enhance the security of SSI files, while still taking
+advantage of the benefits they provide.</p>
+To start, never enable SSI for files with .html or .htm extension.
+This is especially true in a shared, or heavily trafficked, server
+environment.  SSI-enabled files should have a separate extension,
+such as the conventional .shtml.  This helps keep server load at a minimum.
+<p>Another solution is to disable the #exec command withing  SSI. To do
+that you use the IncludesNOEXEC option to the
+<a href="../mod/core.html#options">Options</a> directive.</p>
+&lt;Directory /&gt; <br>
+Options IncludesNOEXEC <br>
+&lt;/Directory&gt; <br>


Allan Liska

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message