You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/25 06:37:05 UTC

DO NOT REPLY [Bug 21873] New: - point 4 under the �suEXEC Security Model� of the �suEXEC Support documentation�

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21873>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21873

point 4 under the �suEXEC Security Model� of the �suEXEC Support documentation�

           Summary: point 4 under the �suEXEC Security Model� of the �suEXEC
                    Support documentation�
           Product: Apache httpd-2.0
           Version: 2.0.47
          Platform: All
               URL: http://httpd.apache.org/docs-2.0/suexec.html
        OS/Version: Linux
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sagaralists@yahoo.com


The point 4 (Does the target program have an unsafe hierarchical reference?)
under the �suEXEC Security Model� of the �suEXEC Support documentation�
(http://httpd.apache.org/docs-2.0/suexec.html). 

It not clear whether you are referring to the CGI program�s path or program�s
content or both. 


Existing rule:
4.  Does the target program have an unsafe hierarchical reference? 
Does the target program contain a leading '/' or have a '..' backreference?
These are not allowed; the target program must reside within the Apache webspace. 

The above would be better written as follows:

4. Does the target CGI program�s path have an unsafe hierarchical reference? 
Does the target CGI program�s path contain a leading '/' or have a '..'
backreference? These are not allowed; the target CGI program must reside within
the suEXEC's docroot (--with-suexec-docroot=DIR).

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org