You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@mch.sni.de> on 1998/02/25 20:50:52 UTC
without Options +ExecCGI?
On my linux box at home, I can execute commands without an explicit
Options +ExecCGI anywhere around. Is that intentional?
I thought it should be forbidden...
The only Options configured are
Options Indexes FollowSymLinks
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: without Options +ExecCGI?
Posted by Martin Kraemer <Ma...@mch.sni.de>.
What is wrong with Apache's defaults is that the OPT_INCNOEXEC bit is
not set automatically. So, unless the WebMaster sets
Options +IncludeNoEXEC
explicitly, execution of arbitrary commands is possible. IMHO, this
is a security flaw, and the default should set the OPT_INCNOEXEC
everywhere.
Martin
On Wed, Feb 25, 1998 at 02:44:05PM -0700, Marc Slemko wrote:
> On Wed, 25 Feb 1998, Martin Kraemer wrote:
>
> > On my linux box at home, I can execute commands without an explicit
> > Options +ExecCGI anywhere around. Is that intentional?
> > I thought it should be forbidden...
>
> The way it is currently is correct, because exec cmd has nothing to do
> with CGIs.
>
> > The only Options configured are
> > Options Indexes FollowSymLinks
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: without Options +ExecCGI?
Posted by Marc Slemko <ma...@worldgate.com>.
On Wed, 25 Feb 1998, Dean Gaudet wrote:
> Well then why doesn't it behave that way? :)
_now_ read my earlier message about no one having a clue. <g>
>
> Dean
>
> On Wed, 25 Feb 1998, Marc Slemko wrote:
>
> > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> >
> > > PR#697
> >
> > But that proposes an unnecessary and needless new option.
> >
> > There is no need for IncludesNOCMD because the way IncludesNOEXEC is
> > _supposed_ to work is that you can use include virtual to run things which
> > are treated as CGIs anyway.
> >
> > >
> > > Dean
> > >
> > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > >
> > > > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> > > >
> > > > > Actually I meant that there's a PR that gets rid of the silly #exec cmd
> > > > > behaviour.
> > > >
> > > > Oh? But... but... there is no silly exec cmd behaviour. What it does is
> > > > correct. What PR is this?
> > > >
> > > > >
> > > > > Dean
> > > > >
> > > > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > > > >
> > > > > > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> > > > > >
> > > > > > > There's a PR in the database that fixes this questionable behaviour. It's
> > > > > > > ancient, and probably suspended.
> > > > > > >
> > > > > > > (suspended PRs == ignored PRs, unfortunately)
> > > > > >
> > > > > > No, they just mean no one knows what to do. The issue with this one is
> > > > > > that it is explicitly denied for what claims to be security reasons or
> > > > > > something. There may be more impact than just this to changing it.
> > > > > >
> > > > > > >
> > > > > > > Dean
> > > > > > >
> > > > > > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > > > > > >
> > > > > > > > On Wed, 25 Feb 1998, Martin Kraemer wrote:
> > > > > > > >
> > > > > > > > > On my linux box at home, I can execute commands without an explicit
> > > > > > > > > Options +ExecCGI anywhere around. Is that intentional?
> > > > > > > > > I thought it should be forbidden...
> > > > > > > >
> > > > > > > > The way it is currently is correct, because exec cmd has nothing to do
> > > > > > > > with CGIs.
> > > > > > > >
> > > > > > > > The only bogon I am aware of in that area is that IncludesNOEXEC does not
> > > > > > > > currently allow AddHandler'd CGIs to be run by include virtual but only
> > > > > > > > allows ScriptAliased ones. IncludesNOEXEC should still allow include
> > > > > > > > virtual to include things that would be run as CGIs if accessed directly
> > > > > > > > anyway.
> > > > > > > >
> > > > > > > > > The only Options configured are
> > > > > > > > > Options Indexes FollowSymLinks
> > > > > > > > >
> > > > > > > > > Martin
> > > > > > > > > --
> > > > > > > > > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > > > > > > > > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > > > > > > > > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > > > > > > > > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
Re: without Options +ExecCGI?
Posted by Dean Gaudet <dg...@arctic.org>.
Well then why doesn't it behave that way? :)
Dean
On Wed, 25 Feb 1998, Marc Slemko wrote:
> On Wed, 25 Feb 1998, Dean Gaudet wrote:
>
> > PR#697
>
> But that proposes an unnecessary and needless new option.
>
> There is no need for IncludesNOCMD because the way IncludesNOEXEC is
> _supposed_ to work is that you can use include virtual to run things which
> are treated as CGIs anyway.
>
> >
> > Dean
> >
> > On Wed, 25 Feb 1998, Marc Slemko wrote:
> >
> > > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> > >
> > > > Actually I meant that there's a PR that gets rid of the silly #exec cmd
> > > > behaviour.
> > >
> > > Oh? But... but... there is no silly exec cmd behaviour. What it does is
> > > correct. What PR is this?
> > >
> > > >
> > > > Dean
> > > >
> > > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > > >
> > > > > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> > > > >
> > > > > > There's a PR in the database that fixes this questionable behaviour. It's
> > > > > > ancient, and probably suspended.
> > > > > >
> > > > > > (suspended PRs == ignored PRs, unfortunately)
> > > > >
> > > > > No, they just mean no one knows what to do. The issue with this one is
> > > > > that it is explicitly denied for what claims to be security reasons or
> > > > > something. There may be more impact than just this to changing it.
> > > > >
> > > > > >
> > > > > > Dean
> > > > > >
> > > > > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > > > > >
> > > > > > > On Wed, 25 Feb 1998, Martin Kraemer wrote:
> > > > > > >
> > > > > > > > On my linux box at home, I can execute commands without an explicit
> > > > > > > > Options +ExecCGI anywhere around. Is that intentional?
> > > > > > > > I thought it should be forbidden...
> > > > > > >
> > > > > > > The way it is currently is correct, because exec cmd has nothing to do
> > > > > > > with CGIs.
> > > > > > >
> > > > > > > The only bogon I am aware of in that area is that IncludesNOEXEC does not
> > > > > > > currently allow AddHandler'd CGIs to be run by include virtual but only
> > > > > > > allows ScriptAliased ones. IncludesNOEXEC should still allow include
> > > > > > > virtual to include things that would be run as CGIs if accessed directly
> > > > > > > anyway.
> > > > > > >
> > > > > > > > The only Options configured are
> > > > > > > > Options Indexes FollowSymLinks
> > > > > > > >
> > > > > > > > Martin
> > > > > > > > --
> > > > > > > > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > > > > > > > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > > > > > > > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > > > > > > > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
Re: without Options +ExecCGI?
Posted by Marc Slemko <ma...@worldgate.com>.
On Wed, 25 Feb 1998, Dean Gaudet wrote:
> PR#697
But that proposes an unnecessary and needless new option.
There is no need for IncludesNOCMD because the way IncludesNOEXEC is
_supposed_ to work is that you can use include virtual to run things which
are treated as CGIs anyway.
>
> Dean
>
> On Wed, 25 Feb 1998, Marc Slemko wrote:
>
> > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> >
> > > Actually I meant that there's a PR that gets rid of the silly #exec cmd
> > > behaviour.
> >
> > Oh? But... but... there is no silly exec cmd behaviour. What it does is
> > correct. What PR is this?
> >
> > >
> > > Dean
> > >
> > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > >
> > > > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> > > >
> > > > > There's a PR in the database that fixes this questionable behaviour. It's
> > > > > ancient, and probably suspended.
> > > > >
> > > > > (suspended PRs == ignored PRs, unfortunately)
> > > >
> > > > No, they just mean no one knows what to do. The issue with this one is
> > > > that it is explicitly denied for what claims to be security reasons or
> > > > something. There may be more impact than just this to changing it.
> > > >
> > > > >
> > > > > Dean
> > > > >
> > > > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > > > >
> > > > > > On Wed, 25 Feb 1998, Martin Kraemer wrote:
> > > > > >
> > > > > > > On my linux box at home, I can execute commands without an explicit
> > > > > > > Options +ExecCGI anywhere around. Is that intentional?
> > > > > > > I thought it should be forbidden...
> > > > > >
> > > > > > The way it is currently is correct, because exec cmd has nothing to do
> > > > > > with CGIs.
> > > > > >
> > > > > > The only bogon I am aware of in that area is that IncludesNOEXEC does not
> > > > > > currently allow AddHandler'd CGIs to be run by include virtual but only
> > > > > > allows ScriptAliased ones. IncludesNOEXEC should still allow include
> > > > > > virtual to include things that would be run as CGIs if accessed directly
> > > > > > anyway.
> > > > > >
> > > > > > > The only Options configured are
> > > > > > > Options Indexes FollowSymLinks
> > > > > > >
> > > > > > > Martin
> > > > > > > --
> > > > > > > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > > > > > > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > > > > > > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > > > > > > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
Re: without Options +ExecCGI?
Posted by Dean Gaudet <dg...@arctic.org>.
PR#697
Dean
On Wed, 25 Feb 1998, Marc Slemko wrote:
> On Wed, 25 Feb 1998, Dean Gaudet wrote:
>
> > Actually I meant that there's a PR that gets rid of the silly #exec cmd
> > behaviour.
>
> Oh? But... but... there is no silly exec cmd behaviour. What it does is
> correct. What PR is this?
>
> >
> > Dean
> >
> > On Wed, 25 Feb 1998, Marc Slemko wrote:
> >
> > > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> > >
> > > > There's a PR in the database that fixes this questionable behaviour. It's
> > > > ancient, and probably suspended.
> > > >
> > > > (suspended PRs == ignored PRs, unfortunately)
> > >
> > > No, they just mean no one knows what to do. The issue with this one is
> > > that it is explicitly denied for what claims to be security reasons or
> > > something. There may be more impact than just this to changing it.
> > >
> > > >
> > > > Dean
> > > >
> > > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > > >
> > > > > On Wed, 25 Feb 1998, Martin Kraemer wrote:
> > > > >
> > > > > > On my linux box at home, I can execute commands without an explicit
> > > > > > Options +ExecCGI anywhere around. Is that intentional?
> > > > > > I thought it should be forbidden...
> > > > >
> > > > > The way it is currently is correct, because exec cmd has nothing to do
> > > > > with CGIs.
> > > > >
> > > > > The only bogon I am aware of in that area is that IncludesNOEXEC does not
> > > > > currently allow AddHandler'd CGIs to be run by include virtual but only
> > > > > allows ScriptAliased ones. IncludesNOEXEC should still allow include
> > > > > virtual to include things that would be run as CGIs if accessed directly
> > > > > anyway.
> > > > >
> > > > > > The only Options configured are
> > > > > > Options Indexes FollowSymLinks
> > > > > >
> > > > > > Martin
> > > > > > --
> > > > > > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > > > > > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > > > > > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > > > > > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
Re: without Options +ExecCGI?
Posted by Marc Slemko <ma...@worldgate.com>.
On Wed, 25 Feb 1998, Dean Gaudet wrote:
> Actually I meant that there's a PR that gets rid of the silly #exec cmd
> behaviour.
Oh? But... but... there is no silly exec cmd behaviour. What it does is
correct. What PR is this?
>
> Dean
>
> On Wed, 25 Feb 1998, Marc Slemko wrote:
>
> > On Wed, 25 Feb 1998, Dean Gaudet wrote:
> >
> > > There's a PR in the database that fixes this questionable behaviour. It's
> > > ancient, and probably suspended.
> > >
> > > (suspended PRs == ignored PRs, unfortunately)
> >
> > No, they just mean no one knows what to do. The issue with this one is
> > that it is explicitly denied for what claims to be security reasons or
> > something. There may be more impact than just this to changing it.
> >
> > >
> > > Dean
> > >
> > > On Wed, 25 Feb 1998, Marc Slemko wrote:
> > >
> > > > On Wed, 25 Feb 1998, Martin Kraemer wrote:
> > > >
> > > > > On my linux box at home, I can execute commands without an explicit
> > > > > Options +ExecCGI anywhere around. Is that intentional?
> > > > > I thought it should be forbidden...
> > > >
> > > > The way it is currently is correct, because exec cmd has nothing to do
> > > > with CGIs.
> > > >
> > > > The only bogon I am aware of in that area is that IncludesNOEXEC does not
> > > > currently allow AddHandler'd CGIs to be run by include virtual but only
> > > > allows ScriptAliased ones. IncludesNOEXEC should still allow include
> > > > virtual to include things that would be run as CGIs if accessed directly
> > > > anyway.
> > > >
> > > > > The only Options configured are
> > > > > Options Indexes FollowSymLinks
> > > > >
> > > > > Martin
> > > > > --
> > > > > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > > > > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > > > > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > > > > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > > > >
> > > >
> > > >
> > >
> >
> >
>
Re: without Options +ExecCGI?
Posted by Dean Gaudet <dg...@arctic.org>.
Actually I meant that there's a PR that gets rid of the silly #exec cmd
behaviour.
Dean
On Wed, 25 Feb 1998, Marc Slemko wrote:
> On Wed, 25 Feb 1998, Dean Gaudet wrote:
>
> > There's a PR in the database that fixes this questionable behaviour. It's
> > ancient, and probably suspended.
> >
> > (suspended PRs == ignored PRs, unfortunately)
>
> No, they just mean no one knows what to do. The issue with this one is
> that it is explicitly denied for what claims to be security reasons or
> something. There may be more impact than just this to changing it.
>
> >
> > Dean
> >
> > On Wed, 25 Feb 1998, Marc Slemko wrote:
> >
> > > On Wed, 25 Feb 1998, Martin Kraemer wrote:
> > >
> > > > On my linux box at home, I can execute commands without an explicit
> > > > Options +ExecCGI anywhere around. Is that intentional?
> > > > I thought it should be forbidden...
> > >
> > > The way it is currently is correct, because exec cmd has nothing to do
> > > with CGIs.
> > >
> > > The only bogon I am aware of in that area is that IncludesNOEXEC does not
> > > currently allow AddHandler'd CGIs to be run by include virtual but only
> > > allows ScriptAliased ones. IncludesNOEXEC should still allow include
> > > virtual to include things that would be run as CGIs if accessed directly
> > > anyway.
> > >
> > > > The only Options configured are
> > > > Options Indexes FollowSymLinks
> > > >
> > > > Martin
> > > > --
> > > > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > > > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > > > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > > > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > > >
> > >
> > >
> >
>
>
Re: without Options +ExecCGI?
Posted by Marc Slemko <ma...@worldgate.com>.
On Wed, 25 Feb 1998, Dean Gaudet wrote:
> There's a PR in the database that fixes this questionable behaviour. It's
> ancient, and probably suspended.
>
> (suspended PRs == ignored PRs, unfortunately)
No, they just mean no one knows what to do. The issue with this one is
that it is explicitly denied for what claims to be security reasons or
something. There may be more impact than just this to changing it.
>
> Dean
>
> On Wed, 25 Feb 1998, Marc Slemko wrote:
>
> > On Wed, 25 Feb 1998, Martin Kraemer wrote:
> >
> > > On my linux box at home, I can execute commands without an explicit
> > > Options +ExecCGI anywhere around. Is that intentional?
> > > I thought it should be forbidden...
> >
> > The way it is currently is correct, because exec cmd has nothing to do
> > with CGIs.
> >
> > The only bogon I am aware of in that area is that IncludesNOEXEC does not
> > currently allow AddHandler'd CGIs to be run by include virtual but only
> > allows ScriptAliased ones. IncludesNOEXEC should still allow include
> > virtual to include things that would be run as CGIs if accessed directly
> > anyway.
> >
> > > The only Options configured are
> > > Options Indexes FollowSymLinks
> > >
> > > Martin
> > > --
> > > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > >
> >
> >
>
Re: without Options +ExecCGI?
Posted by Dean Gaudet <dg...@arctic.org>.
There's a PR in the database that fixes this questionable behaviour. It's
ancient, and probably suspended.
(suspended PRs == ignored PRs, unfortunately)
Dean
On Wed, 25 Feb 1998, Marc Slemko wrote:
> On Wed, 25 Feb 1998, Martin Kraemer wrote:
>
> > On my linux box at home, I can execute commands without an explicit
> > Options +ExecCGI anywhere around. Is that intentional?
> > I thought it should be forbidden...
>
> The way it is currently is correct, because exec cmd has nothing to do
> with CGIs.
>
> The only bogon I am aware of in that area is that IncludesNOEXEC does not
> currently allow AddHandler'd CGIs to be run by include virtual but only
> allows ScriptAliased ones. IncludesNOEXEC should still allow include
> virtual to include things that would be run as CGIs if accessed directly
> anyway.
>
> > The only Options configured are
> > Options Indexes FollowSymLinks
> >
> > Martin
> > --
> > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> >
>
>
Re: without Options +ExecCGI?
Posted by Marc Slemko <ma...@worldgate.com>.
On Wed, 25 Feb 1998, Martin Kraemer wrote:
> On my linux box at home, I can execute commands without an explicit
> Options +ExecCGI anywhere around. Is that intentional?
> I thought it should be forbidden...
The way it is currently is correct, because exec cmd has nothing to do
with CGIs.
The only bogon I am aware of in that area is that IncludesNOEXEC does not
currently allow AddHandler'd CGIs to be run by include virtual but only
allows ScriptAliased ones. IncludesNOEXEC should still allow include
virtual to include things that would be run as CGIs if accessed directly
anyway.
> The only Options configured are
> Options Indexes FollowSymLinks
>
> Martin
> --
> | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
>