DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21873>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21873 point 4 under the �suEXEC Security Model� of the �suEXEC Support documentation� Summary: point 4 under the �suEXEC Security Model� of the �suEXEC Support documentation� Product: Apache httpd-2.0 Version: 2.0.47 Platform: All URL: http://httpd.apache.org/docs-2.0/suexec.html OS/Version: Linux Status: NEW Severity: Enhancement Priority: Other Component: Documentation AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] The point 4 (Does the target program have an unsafe hierarchical reference?) under the �suEXEC Security Model� of the �suEXEC Support documentation� (http://httpd.apache.org/docs-2.0/suexec.html). It not clear whether you are referring to the CGI program�s path or program�s content or both. Existing rule: 4. Does the target program have an unsafe hierarchical reference? Does the target program contain a leading '/' or have a '..' backreference? These are not allowed; the target program must reside within the Apache webspace. The above would be better written as follows: 4. Does the target CGI program�s path have an unsafe hierarchical reference? Does the target CGI program�s path contain a leading '/' or have a '..' backreference? These are not allowed; the target CGI program must reside within the suEXEC's docroot (--with-suexec-docroot=DIR). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
