perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gerald Richter" <rich...@ecos.de>
Subject Re: Security issue
Date Tue, 09 Jul 2002 06:30:01 GMT
>[7422]Reading
>/usr/local/public/virtualdomains/archangl/archangelqnet/cgi-bin/embperl/emb
pcgi.pl as input using PerlIO (909 >Bytes)...
>
>Ok, now, it was my impression that it would only read documents within
>the DOCUMENT_ROOT, and considering that the document root for this dom

No, it does the same transformation from the URL to the file as for every
other request. So when you have an Alias in your httpd.conf it will follow
it, as for a normal request.

This problem have come up some years ago and to avoid these security
problems we have add the EMBPERL_ALLOW directive. You say for example

Embperl_Allow "\.epl$"

and Embperl will only serve documents which has the extention .epl

Gerald

P.S. In 1.3.4 you need the SetEnv before the EMBPERL_ALLOW

-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------






---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org


Mime
View raw message