>Number: 1752
>Category: config
>Synopsis: .cgi files execute as a cgi and I cont want them to.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sun Feb 1 11:50:00 PST 1998
>Last-Modified:
>Originator: mike@cheapnet.net
>Organization:
apache
>Release: 1.2.4
>Environment:
Im an running Linux 2.0.33 RedHat release 4.1. gcc 2.7.2.1
>Description:
I know your page said nothing about cgi's, but this is not about programming them.
in the srm.conf I have made sure the addhandeler line with .cgi is commented out,
but users on my system can simply put .cgi as a file and they can execute cgi's
with the webservers permissions. I have installed cgiwrap, and it works well. But
there is a problem that users dont have to go though the wrapper, if they put .cgi.
Is there somewhere in the source that .cgi is enabled my default? How can I turn it
off, and still let certain users ue cgui through the wrapper?
>How-To-Repeat:
www.cheapnet.net/~mike/cgi-bin/wwwlog.pl <- normal file I want to go throught the
wrapper at like: www.cheapnet.net/cgi-bin/cgiwrap/~mike/wwwlog.pl
BUT if a user did something like www.cheapnet.net/~mike/cgi-bin/wwwlog.cgi they can
get through without using the wrapper!?
>Fix:
Turn .cgi off by default in the source, it that is the way it is setup right now..
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
|