Jefferson Ogata wrote:
That sounds like a potentially extremely dangerous configuration.
Agreed, which is why I'm asking how to not do it. All the non-mod_php examples I seem to find on the net are set up in this configuration. I cannot get "Action" to point to something other than a cgi script, and I don't know if there's another directive that will do what I want (SetHandler will kibosh all files in that directory, which will affect the non-php resources).
Interpreters in general should never be accessible as direct CGIs if there's any way for an attacker to submit input to them for interpretation. (Consider also POSTing to http:///cgi-bin/php5+/dev/fd/0.)
Yes, again, I know it's dangerous, hence the concern of my original post. Was my subject line ambiguous? -- Regards, Daryl Tester "It's bad enough to have two heads, but it's worse when one's unoccupied." -- Scatterbrain, "I'm with Stupid." --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|