You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Bryan Campbell <ci...@fidnet.com> on 1997/08/28 05:20:03 UTC
mod_include/1066: includesNOEXEC does not shut off "exec cmd" . . .
>Number: 1066
>Category: mod_include
>Synopsis: includesNOEXEC does not shut off "exec cmd" . . .
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: support
>Submitter-Id: apache
>Arrival-Date: Wed Aug 27 20:20:02 1997
>Originator: civil@fidnet.com
>Organization:
apache
>Release: 1.2.4
>Environment:
Solaris 2.5
w/ recommended jumbo patch
gcc 2.7.2
SunOS mustang 5.5 Generic_103093-13 sun4m sparc SUNW,SPARCstation-5
>Description:
Install 1.2.4 with includesNOEXEC and call a bit of server parsed html with
<!--#exec cmd="/bin/date"--> (or any other system command . . . i.e. xterm, finger . . . etc.) If you don't get the date, please tell me why.
access.conf included below
# access.conf: Global access configuration
# Online docs at http://www.apache.org/
# This file defines server settings which affect which types of services
# are allowed, and in what circumstances.
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# Originally by Rob McCool
# This should be changed to whatever you set DocumentRoot to.
<Directory /home/fidelity/public_html>
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you (or at least, not yet).
Options Indexes FollowSymLinks IncludesNOEXEC
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
AllowOverride None
# Controls who can get stuff from this server.
order allow,deny
allow from all
</Directory>
# /usr/local/etc/httpd/cgi-bin should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
<Directory /usr/local/etc/httpd/cgi-bin>
AllowOverride None
Options None
</Directory>
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your_domain.com" to match your domain to enable.
#<Location /server-status>
#SetHandler server-status
#order deny,allow
#deny from all
#allow from .your_domain.com
#</Location>
# You may place any other directories or locations you wish to have
# access information for after this one.
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted: