HP3000-L Archives

September 2001, Week 3

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Apache/iX: probably a hole in your config ?
From:
Andreas Schmidt <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Wed, 19 Sep 2001 12:59:17 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (33 lines) 
Folks,

reading the Communicator 6.5 to prepare the 7.0 update ... I stumbled
across the directive
     UserDir
and the module
     mod_userdir.c
e.g. for the link http://yourserver.com/~MGR.APACHE (see Chapter 5, p.
142).

I tested it, and found out that it worked.

So far, so good.

But then I want to test a bit more and found ot that together with the
directive
     AddHandler cgi-script .cgi
and insufficent DIRECTORY settings for those user-directories, it's
possible to execute scripts out of ANY user's directories ... as long as
they reside in a directory as named in UserDir directive (default
public_html) under the user's MPE-homegroup (e.g.
/ACCOUNT/PUB/public_html/) and are accessible (644 for html documents, 755
for .cgi scripts).

This is a nice feature for .html files ... but you should be careful by
having the AddHandler cgi-script active.

Just a remark for the security of Apache/iX, best regards, Andreas Schmidt,
CSC, Germany

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2