You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Rich Bowen <rb...@rcbowen.com> on 2002/06/02 21:24:55 UTC
Re: Problem with CGI
On Sun, 2 Jun 2002, Lior Hammer wrote:
> Hello,
> I have a littele problem with CGI under RedHat Linux 7.2 with Apache 1.3.22
> i exec these commands:
>
> mkdir /perl
> ln -s /usr/bin/perl /perl/perl
>
> Then, i added these lines to my httpd.conf:
>
> ScriptAlias /perl_location/ "/perl/"
I'm not real clear on what you *expect* to happen if this were to work
"correctly", but this is an amazingly bad idea, as it means that I, as a
random user from the Internet, can pass commands DIRECTLY to your Perl
interpreter to make it do whatever I like, by, for example, accessing
the URL on your server:
http://servername/perl/perl?system(rm%20-rf%20/);
or something of that nature.
This used to be a rather common problem on Windows machines, when folks
would put perl.exe in their cgi directory, but I have not seen this done
on Unix systems before.
--
Pilgrim, how you journey on the road you chose
To find out where the winds die and where the stories go
--Pilgrim (Enya - A Day Without Rain)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Problem with CGI
Posted by Lior Hammer <li...@lior.ath.cx>.
Thank you very much!
it's working! (after i added "Options +ExecCGI" to that directory)
----- Original Message -----
From: "Bruno Wolff III" <br...@wolff.to>
To: <us...@httpd.apache.org>
Sent: Sunday, June 02, 2002 1:33 PM
Subject: Re: Problem with CGI
> On Sun, Jun 02, 2002 at 22:33:27 -0700,
> Lior Hammer <li...@lior.ath.cx> wrote:
> > Do you have a better idea?
> > i need to use both CGI and normal HTML at the same directory.
>
> AddHandler cgi-script .cgi
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Problem with CGI
Posted by Bruno Wolff III <br...@wolff.to>.
On Sun, Jun 02, 2002 at 22:33:27 -0700,
Lior Hammer <li...@lior.ath.cx> wrote:
> Do you have a better idea?
> i need to use both CGI and normal HTML at the same directory.
AddHandler cgi-script .cgi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Problem with CGI
Posted by Lior Hammer <li...@lior.ath.cx>.
Do you have a better idea?
i need to use both CGI and normal HTML at the same directory.
----- Original Message -----
From: "Rich Bowen" <rb...@rcbowen.com>
To: <us...@httpd.apache.org>
Sent: Sunday, June 02, 2002 12:24 PM
Subject: Re: Problem with CGI
> On Sun, 2 Jun 2002, Lior Hammer wrote:
>
> > Hello,
> > I have a littele problem with CGI under RedHat Linux 7.2 with Apache
1.3.22
> > i exec these commands:
> >
> > mkdir /perl
> > ln -s /usr/bin/perl /perl/perl
> >
> > Then, i added these lines to my httpd.conf:
> >
> > ScriptAlias /perl_location/ "/perl/"
>
> I'm not real clear on what you *expect* to happen if this were to work
> "correctly", but this is an amazingly bad idea, as it means that I, as a
> random user from the Internet, can pass commands DIRECTLY to your Perl
> interpreter to make it do whatever I like, by, for example, accessing
> the URL on your server:
> http://servername/perl/perl?system(rm%20-rf%20/);
>
> or something of that nature.
>
> This used to be a rather common problem on Windows machines, when folks
> would put perl.exe in their cgi directory, but I have not seen this done
> on Unix systems before.
>
> --
> Pilgrim, how you journey on the road you chose
> To find out where the winds die and where the stories go
> --Pilgrim (Enya - A Day Without Rain)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org