www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@hyperreal.org
Subject Re: mod_include/1576: exec cmd bypasses ExecCGI security check. Any user can exec random programs and we can't block it!
Date Fri, 19 Dec 1997 18:58:02 GMT
Synopsis: exec cmd bypasses ExecCGI security check. Any user can exec random programs and we
can't block it!

State-Changed-From-To: open-closed
State-Changed-By: marc
State-Changed-When: Fri Dec 19 10:58:01 PST 1997
State-Changed-Why:
"exec cmd" does not execute CGIs and does not have anything
to do with CGIs so it is not and should not be impacted
by ExecCGI.  "exec cgi" is because it executes CGIs.

If you only wish to allow people to execute things otherwise
allowed, have them use "include virtual" and use
Options IncludesNOEXEC.

"include virtual" will allow you to include any virtual path
that is normally accessible, even things that happen to be
CGIs when IncludesNOEXEC is enabled.  Note that there is
a bug (and a PR about it somewhere...) in include virtual
where it incorrectly denies the execution of scripts that
would be executed in a directory with ExecCGI set; those in
ScriptAliased directories still work.


Mime
View raw message