[PATCH] security_tips.html

5 Oct 2001 03:51:30 -0000 

I have made the syntax corrections suggested by Chris Pepper and would
like to see if there are any additional comments about the SSI changes?

Thanks!


allan


Index: httpd-docs-1.3/htdocs/manual/misc/security_tips.html
===================================================================
RCS file: /home/cvspublic/httpd-docs-1.3/htdocs/manual/misc/security_tips.html,v
retrieving revision 1.25
diff -u -r1.25 security_tips.html
--- httpd-docs-1.3/htdocs/manual/misc/security_tips.html        2001/10/02 
15:40:07     1.25
+++ httpd-docs-1.3/htdocs/manual/misc/security_tips.html        2001/10/05 
03:45:10
@@ -95,15 +95,46 @@

     <h2><a id="ssi" name="ssi">Server Side Includes</a></h2>

-    <p>Server side includes (SSI) can be configured so that users
-    can execute arbitrary programs on the server. That thought
-    alone should send a shiver down the spine of any sys-admin.</p>
+    <p>Server Side Includes (SSI), present a server administrator with
+    several potential security risks.</p>
+
+    <p>
+    The first risk is the increased load on the server.  All SSI-enabled
+    files have to be parsed by Apache, whether or not there are any SSI
+    directives included within the files.  While this load increase is
+    minor, in a shared server environment it can become significant.</p>
+
+    <p>
+    SSI files also pose the same risks that are associated with CGI scripts
+    in general.  Using the "exec cmd" element, SSI-enabled files can execute
+    any CGI script or program owned by the user and group Apache runs as, as
+    configured in httpd.conf.  That should definitely give server
+    administrators pause.</p>

-    <p>One solution is to disable that part of SSI. To do that you
-    use the IncludesNOEXEC option to the <a
-    href="../mod/core.html#options">Options</a> directive.</p>
+    <p>
+    There are ways to enhance the security of SSI files, while still taking
+    advantage of the benefits they provide.</p>

-    <p></p>
+    <p>To decrease the amount of damage a wayward SSI file can cause a
+    server administrator can enable <a href="../docs/suexec.html"
+    >suexec</a>.  Suexec provides several levels of protection for a
+    server. It limits the users who can execute CGI scripts or programs
+    on the server (by restricting access only to the user and group defined
+    in httpd.conf).  Suexec also checks to ensure all parsed files meet
+    its security standards prior to execution.
+
+    <p>
+    Enabling SSI for files with .html or .htm extensions is probably a bad
+    idea.  This is especially true in a shared, or high
+    traffic, server environment.  SSI-enabled files should have a
+    separate extension, such as the conventional .shtml.  This helps keep
+    server load at a minimum, and increases security.</p>
+
+
+    <p>Another solution is to disable the #exec element within SSI. To do
+    this replace Options Includes with Options IncludesNOEXEC within the
+    <a href="../mod/core.html#options">Options</a> directive.</p>
+
     <hr />

     <h2><a id="nsaliasedcgi" name="nsaliasedcgi">Non Script Aliased



-- 
Allan Liska
[EMAIL PROTECTED]
http://www.allan.org


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to