httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 57777] New: Security concerns with documentation of AddHandler (and multiple file extensions)
Date Mon, 30 Mar 2015 00:58:33 GMT

            Bug ID: 57777
           Summary: Security concerns with documentation of AddHandler
                    (and multiple file extensions)
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation

The latest official docs on AddHandler at [1] list

  AddHandler cgi-script .cgi

for an example.  Why use something as dangerous for an example?
A few lines below, the user is pointed to notes on multiple file extensions at
but no mention of "security" and no example of an attack scenario
with remote code execution from a user file upload form.

The official FAQ at [3] mentions "AddHandler cgi-script .cgi", too.  Why?

The multiple file extension approach of AddHandler seems to be widely unknown:
Dangerous guides enabling CGI or PHP execution using AddHandler can be found
accross the internet, including documentation of webhosters and large Linux
Therefore I believe Apache users need all the help they can get from the
documentation understanding that AddHandler is dangerous to use in many cases.

Ideally, also add a big graphic warning sign in the docs to AddHandler
and/or boldly discourage its use altogether.  That would rock the house.

Thanks in advance!


PS: Bug #57584 is related and has my full support.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message