[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Cobalt wishlist
- Subject: Re: [cobalt-users] Cobalt wishlist
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Wed Apr 5 13:32:20 2000
Once upon a time, Paul Schreiber <cheesefactory@xxxxxxxxx> said:
> --- Chris Adams <cmadams@xxxxxxxxxx> wrote:
> > > You *are* aware that any site web can turn CGI and SSI back on at will
> > > when they are turned off in the GUI by default...? (bu simply adding
> > handlers
> > > in .htaccess, unless you intentionally make it non readable to the user)
> >
> > There is a security hole here too (I reported it over a month ago and
> > they said they are working on a fix, but they haven't released one yet).
> >
> > Part of the problem is that the wonderful FrontPage extensions require
> > "AllowOverride All" in the web config file.
>
> Report it to bugtraq. That'll get it fixed -real- fast. :-)
When I had the cgiwrap security hole, that was what seemed to kick them
into action. Maybe this message will filter through to someone and
they'll get it going.
When I had the cgiwrap problem, it was more serious because not only was
it a security problem but it broke functionality. The current problem I
know of doesn't break any functionality, it just lets anyone on a RaQ
edit all FrontPage sites on the RaQ.
Any copy of Apache I setup I would never "AllowOverride All". The only
"safe" things to AllowOverride on are AuthConfig, Indexes, and Limit.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.