As Joshua suggested, I have separated the content changes from the formatting changes. Listed below are the proposed content changes for the Server Side Includes section. If they are acceptable, I will continue working the rest of the security tips documentation, according to the proposal outlined earlier.
Any feedback is greatly appreciated. Index: httpd-docs-1.3/htdocs/manual/misc/security_tips.html =================================================================== RCS file: /home/cvspublic/httpd-docs-1.3/htdocs/manual/misc/security_tips.html,v retrieving revision 1.23 diff -u -r1.23 security_tips.html --- httpd-docs-1.3/htdocs/manual/misc/security_tips.html 2001/09/24 01:36:41 1.23 +++ httpd-docs-1.3/htdocs/manual/misc/security_tips.html 2001/10/01 23:06:59 @@ -70,13 +70,40 @@ <P> <HR> <H2>Server Side Includes</H2> -<P>Server side includes (SSI) can be configured so that users can execute -arbitrary programs on the server. That thought alone should send a shiver -down the spine of any sys-admin.<P> - -One solution is to disable that part of SSI. To do that you use the -IncludesNOEXEC option to the <A HREF="../mod/core.html#options">Options</A> -directive.<P> +<p>Server Side Includes (SSI), present a server administrator with +several potential security risks.</p> + +<p> +The first risk is the increased load on the server. All SSI-enabled +files have to be parsed by Apache, whether or not there are any SSI +directives included within the file. While this load increase is +minor, in a shared server environment it can become significant.</p> + +<p> +SSI files also pose the same risks that are associated with CGI scripts +in general. A user can execute any CGI script through an SSI-enabled +file. That should definitely give server administrators pause.</p> + +<p> +There are ways to enhance the security of SSI files, while still taking +advantage of the benefits they provide.</p> + +<p> +To start, never enable SSI for files with .html or .htm extension. +This is especially true in a shared, or heavily trafficked, server +environment. SSI-enabled files should have a separate extension, +such as the conventional .shtml. This helps keep server load at a minimum. +</p> + +<p>Another solution is to disable the #exec command withing SSI. To do +that you use the IncludesNOEXEC option to the +<a href="../mod/core.html#options">Options</a> directive.</p> + +<blockquote><code> +<Directory /> <br> +Options IncludesNOEXEC <br> +</Directory> <br> +</code></blockquote> <HR> -- Allan Liska [EMAIL PROTECTED] http://www.allan.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
