On 04/23/2009 02:31 PM, Joe Orton wrote: > A security issue in the handling of the Includes and IncludesNoExec > directives was reported recently, and I'm after some help. > > The security issues are as follows: > > a) If "AllowOverride Options=IncludesNoEXEC" is configured in > httpd.conf, a user can put "Options Includes" in an .htaccess > file and SSI will be enabled *with* exec= permitted > > b) If "AllowOverride Options=IncludesNoEXEC" is configured in > httpd.conf, and "Options IncludesNoExec" is enabled in the same > <Directory> context, then merely placing "Options +IncludesNoExec" in > an .htaccess file also results in SSI enabled with exec= permitted > > These are fixable but one question is left on how a particular > combination of Includes and IncludesNoExec is interpreted: > > - if httpd.conf has "Options Includes", and an .htaccess file has > "Options +IncludesNoExec" - should exec= be permitted in an SSI? > > I can argue this either way but am tending towards "no"; I'd very much > welcome further opinions on this.
As you I can find arguments for both, but "no" seems to be the solution for the least surprise and more safe so we should not permit exec in this case. Regards RĂ¼diger
