> > "We will now be running CGI scripts on mirror sites." Hmm, I don't think > > it's > > that easy. Apache is a great software in many ways, one of these ways is > > that > > with a little basic knowledge of the Apache system it's quite easy to > > maintain > > basic security. I would expect that most, if not all, mirrored www-sites > > won't > > let any executable file with cgi-suffix be executed by default. At least it > > wouldn't here at apache.dc.luth.se. > > Okay, sounds like a solid vote against in-place CGI's. Several sites > do allow CGI's, and we will thoroughly examine whatever CGI's we give > you to run. For example, none of the CGI's being given you you > involve parsing or interpreting user input, so the chances for a > security hole to pop up is much smaller.
Hmm, I'm sorry, I should have benn clearer on that. What I meant was that when there's no explicit reasons for having CGI's and SSI etc, etc allowed, I always have them turned off so I won't have to worry about any unexpected implications. If CGI-programs are an essential part of the content that is mirrored I surely won't have anything against it if there's reasonable security precautions taken. So, my answer looking like a solid vote against CGI's was my fault. Wkr /G -- Göran Öberg <[EMAIL PROTECTED]> <URL:http://www.luth.se/~goggi/> Computer Support Center Adm./CoAdm. of Luleĺ University, SWEDEN {www,proxy,{www,apache}.dc,ftp}.luth.se _________________________________________________________________________
