httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daryl Tester <dt-apa...@handcraftedcomputers.com.au>
Subject Re: [users@httpd] Securing handler from direct access via URL. *RESOLUTION*
Date Fri, 10 Sep 2010 23:04:43 GMT
Jefferson Ogata wrote:

> On 2010-09-09 20:33, Daryl Tester wrote:

>> This works as it should, but a side effect is that Action is exposing
>> http:///cgi-bin/php5 to the outside world (which barfs when accessed
>> directly).  Access permissions on the cgi-bin directory appear to get
>> propagated to the resources I'm trying to "handle", so that doesn't
>> help.

> That sounds like a potentially extremely dangerous configuration. I 
> wonder what happens when you POST to that CGI.

Bear in mind that this is Ubuntu 10.04's *default* location for php in
their php5-cgi package (potentially copied from Debian - I neither know
nor care any more about these arbitrary distinctions), so this wasn't
something I'd set up.  It didn't help that FastCGI's canonical
configuration of supporting script handlers is by forcing the interpreter
to live in URL accessible space either (see use of Action directive at
<http://www.fastcgi.com/drupal/node/5?q=node/10>, and other PHP+FastCGI
documents).

To "fix" this issue, I've subsequently discovered the mod_fcgid module
which allows me to have an AddHandler without Action directive, so now
my interpreters are existing well outside of access from URLs.  Now I'm
a moderately happy camper (or at least, sleeping slightly better at night).

Cheers.


-- 
Regards,
  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message