[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Re-Directing users on a 404 error
- Subject: Re: [cobalt-users] Re-Directing users on a 404 error
- From: "Zeffie" <cobaltlist@xxxxxxxx>
- Date: Wed Mar 21 17:10:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
<Snip>
> ErrorDocument 403 /401err.shtml
>
> The example above uses .shtml files (server side include HTML files, which
are found at the web root level of the site (....web/).
>
> Using .shtml files means that you can use an SSI call to some other CGI,
either logging the incident, alerting the site admin, or both (or just about
anything else that can be accomplished in SSI).
> Use it wisely.
This opens a security hole for some companies. I always recommend that
"hosting for strangers" companies not give out SSI. It always has been a
bad thing and somehow I don't think it is has gotten much better. But lets
look...
from:
http://httpd.apache.org/docs/misc/security_tips.html
Server Side Includes
Server side includes (SSI) can be configured so that users can execute
arbitrary programs on the server. That thought alone should send a shiver
down the spine of any sys-admin.
One solution is to disable that part of SSI. To do that you use the
IncludesNOEXEC option to the Options directive.
http://httpd.apache.org/docs/mod/core.html#options
Looking at a Raq3i in /etc/httpd/conf/access.conf we find
Options Indexes FollowSymLinks Includes MultiViews
Well
Nope it hasn't... Same old story... SSI sucked 4,5 years ago and it still
does. Except when you just have to and it's the only way.
The ball is yours... Remember to make your backups!
Updates to this post can be found at
http://www.zeffie.com/Security/server_side_includes.html
Zeffie
http://www.zeffie.com/
If this message helps you please help others with just a click!
http://www.thehungersite.com/