>Number: 1752 >Category: config >Synopsis: .cgi files execute as a cgi and I cont want them to. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sun Feb 1 11:50:00 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 >Environment: Im an running Linux 2.0.33 RedHat release 4.1. gcc 2.7.2.1 >Description: I know your page said nothing about cgi's, but this is not about programming them. in the srm.conf I have made sure the addhandeler line with .cgi is commented out, but users on my system can simply put .cgi as a file and they can execute cgi's with the webservers permissions. I have installed cgiwrap, and it works well. But there is a problem that users dont have to go though the wrapper, if they put .cgi. Is there somewhere in the source that .cgi is enabled my default? How can I turn it off, and still let certain users ue cgui through the wrapper? >How-To-Repeat: www.cheapnet.net/~mike/cgi-bin/wwwlog.pl <- normal file I want to go throught the wrapper at like: www.cheapnet.net/cgi-bin/cgiwrap/~mike/wwwlog.pl
BUT if a user did something like www.cheapnet.net/~mike/cgi-bin/wwwlog.cgi they can get through without using the wrapper!? >Fix: Turn .cgi off by default in the source, it that is the way it is setup right now.. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
