On 8/18/06, Mark J Cox <[EMAIL PROTECTED]> wrote:
See
http://marc.theaimsgroup.com/?l=bugtraq&m=115527423727441&w=2
which basically reports "if you put cgi-bin under docroot then you can
view cgi scripts on OS which have case insensitive filesystems"
Joe replied:
http://marc.theaimsgroup.com/?l=bugtraq&m=115574424402976&w=2
and I submitted that as an "DISPUTED" to CVE
But the original reporter disagrees:
http://marc.theaimsgroup.com/?l=bugtraq&m=115583509231594&w=2
I think the right response here is to make it more explicit in the
documentation that putting a ScriptAlias cgi-bin inside document root is
bad.
Yes, this is a relatively common configuration error. Although this
does not make it a bug, it does point out that our documentation could
be clearer. Unfortunately, the basic problem is that people see the
ScriptAlias in the default config file and assume that is the only way
to activate cgi scripts, so regardless of what we put in the docs, it
won't help that much.
Something like the following should probably be added to the docs for
ScriptAlias (and perhaps in the CGI tutorial):
<note><directive>ScriptAlias</directive> is used to
<strong>both</strong> map a URL to a directory <strong>and</strong>
mark requests for that URL as pointing to CGI scripts. It should not
be used for directories that are already accessible from the web
because they are under the <directive
module="core">DocumentRoot</directive>, for example. Instead, you can
use:
<example>
<Directory /usr/local/apache2/htdocs/cgi-dir ><br />
SetHandler cgi-script<br />
Options ExecCGI<br />
</Directory>
</example></note>
Joshua.
