https://bz.apache.org/bugzilla/show_bug.cgi?id=57777
Bug ID: 57777
Summary: Security concerns with documentation of AddHandler
(and multiple file extensions)
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: [email protected]
Reporter: [email protected]
The latest official docs on AddHandler at [1] list
AddHandler cgi-script .cgi
for an example. Why use something as dangerous for an example?
A few lines below, the user is pointed to notes on multiple file extensions at
[2]
but no mention of "security" and no example of an attack scenario
with remote code execution from a user file upload form.
The official FAQ at [3] mentions "AddHandler cgi-script .cgi", too. Why?
The multiple file extension approach of AddHandler seems to be widely unknown:
Dangerous guides enabling CGI or PHP execution using AddHandler can be found
all
accross the internet, including documentation of webhosters and large Linux
distributions.
Therefore I believe Apache users need all the help they can get from the
official
documentation understanding that AddHandler is dangerous to use in many cases.
Ideally, also add a big graphic warning sign in the docs to AddHandler
and/or boldly discourage its use altogether. That would rock the house.
Thanks in advance!
[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[3]
https://wiki.apache.org/httpd/FAQ#How_do_I_enable_CGI_execution_in_directories_other_than_the_ScriptAlias.3F
PS: Bug #57584 is related and has my full support.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
