httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jefferson Ogata <apa...@antibozo.net>
Subject Re: [users@httpd] Securing handler from direct access via URL.
Date Thu, 09 Sep 2010 20:42:36 GMT
On 2010-09-09 20:33, Daryl Tester wrote:
> This works as it should, but a side effect is that Action is exposing
> http:///cgi-bin/php5 to the outside world (which barfs when accessed
> directly).  Access permissions on the cgi-bin directory appear to get
> propagated to the resources I'm trying to "handle", so that doesn't
> help.

That sounds like a potentially extremely dangerous configuration. I 
wonder what happens when you POST to that CGI.

Interpreters in general should never be accessible as direct CGIs if 
there's any way for an attacker to submit input to them for 
interpretation. (Consider also POSTing to http:///cgi-bin/php5+/dev/fd/0.)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message