httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daryl Tester <dt-apa...@handcraftedcomputers.com.au>
Subject Re: [users@httpd] Securing handler from direct access via URL.
Date Thu, 09 Sep 2010 21:37:53 GMT
Jefferson Ogata wrote:

> That sounds like a potentially extremely dangerous configuration.

Agreed, which is why I'm asking how to not do it.  All the non-mod_php
examples I seem to find on the net are set up in this configuration.
I cannot get "Action" to point to something other than a cgi script,
and I don't know if there's another directive that will do what I want
(SetHandler will kibosh all files in that directory, which will affect
the non-php resources).

> Interpreters in general should never be accessible as direct CGIs if 
> there's any way for an attacker to submit input to them for 
> interpretation. (Consider also POSTing to http:///cgi-bin/php5+/dev/fd/0.)

Yes, again, I know it's dangerous, hence the concern of my original post.
Was my subject line ambiguous?

-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message