In message <[EMAIL PROTECTED]>, Rasmus Lerdorf <[EMAIL PROTECTED]> wrote:
>mod_info will tell you some of this. ie. Look for ScriptAlias lines under >mod_alias.c and AddHandler cgi-script lines under mod_mime.c. I was hoping to find a volunteer to actually hack on this for me. I am _not_ well versed in Apache internals myself. >But you are fighting a bit of a lost cause here. If you allow users to >upload arbitrary cgi scripts there really isn't much you can do at the >Apache level. It becomes a system security issue. ie. blocking outbound >port 25 connections, for example. I think you miss the point. Yes, what you say is quite true. It _is_ a security issue, and it is not in any sense either (a) Apache's fault or even (b) something that Apache can do anything directly about. However this is a little like a chronic disease... You may not be able to fully cure it, but if you can keep the symptoms in check then at least that is a lot better than doing nothing. In the case of FormMail scripts, if the big web hosting companies can just scan all of their CGI directories for them every night and then simply `rm' or `chmod 0000' anything found by the scans of the previous night every morning, then that will be about 99.9% sufficent to eliminate the problem. And that's a lot better than doing nothing.
