I don't have this problem on a system set up like so: ScriptAlias /cgi-bin/ /home/www/cgi-bin/ AddHandler cgi-script .cgi
Nor on one using: AddType application/x-httpd-cgi cgi How is your system set up? Dean On Mon, 28 Apr 1997, Dan Kearns wrote: > > >Number: 497 > >Category: mod_negotiation > >Synopsis: cgi-bin negotiation bug -> Security hole > >Confidential: no > >Severity: critical > >Priority: medium > >Responsible: apache (Apache HTTP Project) > >State: open > >Class: sw-bug > >Submitter-Id: apache > >Arrival-Date: Mon Apr 28 12:30:01 1997 > >Originator: [EMAIL PROTECTED] > >Organization: > apache > >Release: 1.2b8 > >Environment: > AIX/Solaris, 4.x,2.5.x, gcc, etc. > >Description: > If content-negotiation is turned on generally, and a cgi program (say foo.cgi) > is called unqualified, say as /cgi-bin/foo, it loses its script-ness, and > returns the source code as text/html!! > > >How-To-Repeat: > Find a script named foo.cgi on a machine with content-neg on, and > call it as foo ... yikes! > >Fix: > This is obviously pretty bad. I will turn off negotiation in cgi-bin dirs, > and I think something like <Files ~ .cgi|.pl> -ContentNegotiation > (or whatever the syntax is) will plug the hole generally, but what happens if > there are alternate version of a script, eg foo.cgi.es|en ? > > Seems like maybe mod_negotiation should be moved the other side of mod_cgi > in the Makefile?? I don't know what that might affect though...%0 > >Audit-Trail: > >Unformatted: > > >
