httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57777] New: Security concerns with documentation of AddHandler (and multiple file extensions)
Date Mon, 30 Mar 2015 00:58:33 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57777

            Bug ID: 57777
           Summary: Security concerns with documentation of AddHandler
                    (and multiple file extensions)
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: docs@httpd.apache.org
          Reporter: sebastian@pipping.org

The latest official docs on AddHandler at [1] list

  AddHandler cgi-script .cgi

for an example.  Why use something as dangerous for an example?
A few lines below, the user is pointed to notes on multiple file extensions at
[2]
but no mention of "security" and no example of an attack scenario
with remote code execution from a user file upload form.

The official FAQ at [3] mentions "AddHandler cgi-script .cgi", too.  Why?

The multiple file extension approach of AddHandler seems to be widely unknown:
Dangerous guides enabling CGI or PHP execution using AddHandler can be found
all
accross the internet, including documentation of webhosters and large Linux
distributions.
Therefore I believe Apache users need all the help they can get from the
official
documentation understanding that AddHandler is dangerous to use in many cases.

Ideally, also add a big graphic warning sign in the docs to AddHandler
and/or boldly discourage its use altogether.  That would rock the house.

Thanks in advance!


[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[3]
https://wiki.apache.org/httpd/FAQ#How_do_I_enable_CGI_execution_in_directories_other_than_the_ScriptAlias.3F

PS: Bug #57584 is related and has my full support.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message