httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daryl Tester <>
Subject Re: [users@httpd] Securing handler from direct access via URL.
Date Thu, 09 Sep 2010 21:37:53 GMT
Jefferson Ogata wrote:

> That sounds like a potentially extremely dangerous configuration.

Agreed, which is why I'm asking how to not do it.  All the non-mod_php
examples I seem to find on the net are set up in this configuration.
I cannot get "Action" to point to something other than a cgi script,
and I don't know if there's another directive that will do what I want
(SetHandler will kibosh all files in that directory, which will affect
the non-php resources).

> Interpreters in general should never be accessible as direct CGIs if 
> there's any way for an attacker to submit input to them for 
> interpretation. (Consider also POSTing to http:///cgi-bin/php5+/dev/fd/0.)

Yes, again, I know it's dangerous, hence the concern of my original post.
Was my subject line ambiguous?

  Daryl Tester

"It's bad enough to have two heads, but it's worse when one's unoccupied."
  -- Scatterbrain, "I'm with Stupid."

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message