Nick Kew wrote: > > On 5 Jun 2009, at 10:53, Seema Alevoor wrote: > >> Hi, >> >> Please review the changes for CR 6838652 >> ( pre-configured printenv and testcgi can leak information to network >> clients ) >> at http://cr.opensolaris.org/~seema/6838652/ > > I really don't like that fix. > Better for the default to forbid them to the outside world: > <Files test-cgi> > Deny from all > Allow from 127.0.0.1 > </Files> > (ditto printenv) > at the point where /cgi-bin/ is scriptaliased.
still an information leak (but of course to a smaller audience unless there is some proxying, such as Apache behind Lighttpd or similar) how useful are these anyway? (not much at all, IMO) how confident can we be diverging from httpd and other distributors on a security-related issue?
