LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2001, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2001, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Apache/iX: probably a hole in your config ?
From:	Mark Bixby <[log in to unmask]>
Reply To:	Mark Bixby <[log in to unmask]>
Date:	Wed, 19 Sep 2001 09:10:28 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (77 lines)

I don't really think this is a security problem, due to the large number of
ANDs involved for user CGI scripts to be executed:

1) /ACCOUNT/PUB/public_html/ must exist

AND

2) /ACCOUNT/PUB/public_html/ must have at least "other execute" permissions

AND

3) /ACCOUNT/PUB/public_html/whatever.cgi must exist (AND have that .cgi name
extension)

AND

4) /ACCOUNT/PUB/public_html/whatever.cgi must have at least "other execute"
permissions

This is more of a policy issue -- do you want your users to be able to create
and execute CGI apps in their own UserDir directory trees?

CSY distributes Apache with sample configuration files that try to strike a
balance between security and having a good subset of Apache functionality
enabled.  They are only *sample* config files -- when you install Apache, if
you want the sample config file functionality, you must copy the sample files
in whole or in part to the real file locations.

The sample config files try to highlight useful Apache functionality.  The
number of Apache configuration directives is vast, and anything we omit from
the sample configs is likely to be overlooked by a new webmaster intimidated by
the full list at http://httpd.apache.org/docs/mod/directives.html.

- Mark B.

Andreas Schmidt wrote:
>
> Folks,
>
> reading the Communicator 6.5 to prepare the 7.0 update ... I stumbled
> across the directive
>      UserDir
> and the module
>      mod_userdir.c
> e.g. for the link http://yourserver.com/~MGR.APACHE (see Chapter 5, p.
> 142).
>
> I tested it, and found out that it worked.
>
> So far, so good.
>
> But then I want to test a bit more and found ot that together with the
> directive
>      AddHandler cgi-script .cgi
> and insufficent DIRECTORY settings for those user-directories, it's
> possible to execute scripts out of ANY user's directories ... as long as
> they reside in a directory as named in UserDir directive (default
> public_html) under the user's MPE-homegroup (e.g.
> /ACCOUNT/PUB/public_html/) and are accessible (644 for html documents, 755
> for .cgi scripts).
>
> This is a nice feature for .html files ... but you should be careful by
> having the AddHandler cgi-script active.
>
> Just a remark for the security of Apache/iX, best regards, Andreas Schmidt,
> CSC, Germany
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

--
[log in to unmask]
Remainder of .sig suppressed to conserve scarce California electrons...

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU