Received: (from majordom@localhost)
	by hyperreal.org (8.8.5/8.8.5) id UAA07078;
	Wed, 27 Aug 1997 20:20:08 -0700 (PDT)
Received: (from gnats@localhost)
	by hyperreal.org (8.8.5/8.8.5) id UAA06994;
	Wed, 27 Aug 1997 20:20:03 -0700 (PDT)
Date: Wed, 27 Aug 1997 20:20:03 -0700 (PDT)
Message-Id: <199708280320.UAA06994@hyperreal.org>
From: Bryan Campbell <civil@fidnet.com>
Reply-To: Bryan Campbell <civil@fidnet.com>
To: apache-bugdb@apache.org
Cc: apache-bugdb@apache.org
Subject: mod_include/1066: includesNOEXEC does not shut off "exec cmd" . . .
In-Reply-To: Your message of Wed, 27 Aug 1997 20:12:33 -0700 (PDT)
	<199708280312.UAA04327@hyperreal.org>
Sender: apache-bugdb-owner@apache.org
Precedence: bulk


>Number:         1066
>Category:       mod_include
>Synopsis:       includesNOEXEC does not shut off "exec cmd" . . .
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          support
>Submitter-Id:   apache
>Arrival-Date:   Wed Aug 27 20:20:02 1997
>Originator:     civil@fidnet.com
>Organization:
apache
>Release:        1.2.4
>Environment:
Solaris 2.5
w/ recommended jumbo patch
gcc 2.7.2
SunOS mustang 5.5 Generic_103093-13 sun4m sparc SUNW,SPARCstation-5
>Description:
Install 1.2.4 with includesNOEXEC and call a bit of server parsed html with
<!--#exec cmd="/bin/date"--> (or any other system command  . . . i.e. xterm, finger  . . . etc.)  If you don't get the date, please tell me why.  

access.conf included below

# access.conf: Global access configuration
# Online docs at http://www.apache.org/

# This file defines server settings which affect which types of services
# are allowed, and in what circumstances. 

# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories). 

# Originally by Rob McCool

# This should be changed to whatever you set DocumentRoot to.

<Directory /home/fidelity/public_html>

# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".

# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you (or at least, not yet).

Options Indexes FollowSymLinks IncludesNOEXEC

# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo", 
# "AuthConfig", and "Limit"

AllowOverride None

# Controls who can get stuff from this server.

order allow,deny
allow from all

</Directory>

# /usr/local/etc/httpd/cgi-bin should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.

<Directory /usr/local/etc/httpd/cgi-bin>
AllowOverride None
Options None
</Directory>

# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your_domain.com" to match your domain to enable.

#<Location /server-status>
#SetHandler server-status

#order deny,allow
#deny from all
#allow from .your_domain.com
#</Location>

# You may place any other directories or locations you wish to have
# access information for after this one.

>How-To-Repeat:

>Fix:

>Audit-Trail:
>Unformatted: