On 2010-09-09 20:33, Daryl Tester wrote:
This works as it should, but a side effect is that Action is exposing http:///cgi-bin/php5 to the outside world (which barfs when accessed directly). Access permissions on the cgi-bin directory appear to get propagated to the resources I'm trying to "handle", so that doesn't help.
That sounds like a potentially extremely dangerous configuration. I wonder what happens when you POST to that CGI.
Interpreters in general should never be accessible as direct CGIs if there's any way for an attacker to submit input to them for interpretation. (Consider also POSTing to http:///cgi-bin/php5+/dev/fd/0.)
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|