Re: [expert] apache 1.3.6 and .cgi scripts not in cgi-bin

[Stephen Carville]

On Thu, 22 Jul 1999, you wrote:
-If you haven't changed your httpd.conf, it should be on line 403. Change
-it to: 
-Options Indexes Includes FollowSymLinks ExecCGI

This will work but I disagree with it being the "right" solution.  It
is better to leave the default to the most restrictive settings
reasonable and open them up on a case by case basis.

-RedHat's configuration is pretty insecure by default and I have seen many
-sites get hacked. On Mandrake, I made sure it was easy enough for
-beginners, while secure.
-
-By the way, don't **ever** put a cgi chmoded 777! It's world writable and
-executable, and anyone with knowledge can take control of your cgis if you
-do that. Please, chmod it to 755.

Very good advice.  I "hacked" one of my employers's databases (it's
part of my job :-)  using just this technique.

-Jean-Michel
[EMAIL PROTECTED]
-
-On Thu, 22 Jul 1999, Axalon wrote:
-
- Date: Thu, 22 Jul 1999 18:33:01 -0600 (MDT)
- From: Axalon [EMAIL PROTECTED]
- Reply-To: [EMAIL PROTECTED]
- To: "[EMAIL PROTECTED]" [EMAIL PROTECTED]
- Subject: Re: [expert] apache 1.3.6 and .cgi scripts not in cgi-bin
- 
- 
- Make sure you have a "Options ExecCGI" in the section covering the
- directory in question.
- 
- 
- On Thu, 22 Jul 1999, Duncan Hall wrote:
- 
-  I've uncommented the line in httpd.conf
-  
-  # To use CGI scripts:
-  AddHandler cgi-script .cgi
-  
-  I'm using apache-1.3.6-50mdk
-  
-  When I try to run a script that is not in the cgi-bin I get the following Error
-  
-  403
-  
-  Forbidden
-  
-  You don't have permission to access /Weekly/CHARTS/index.cgi on this server.
-  
-  To test it I have chmod 777 but still no luck.
-  
-  Before I get flamed about perl scripts not in cgi-bin, this script is on a secure 
intranet.
-  
-  It worked perfectly on redhat 5.2 with apache 1.3.2
-  
-  Any thoughts
-  
-  Dunc
-  
-  --
-  //
-  Duncan Hall
-  SysAdmin/WebMaster
-  Viator Systems [ http://www.viator.com ]
-  ... e-commerce systems for the travel industry
-  tel: +61 2 9361 6137 fax: +61 2 9360 9885
-  -//
-  
-  
-  
-
--
Stephen Carville
--
Operating complicated machinery whilst possessed of the 
cognitive powers of a sea slug and the disposition
of a polar bear with a toothache is very unwise

Re: [expert] apache 1.3.6 and .cgi scripts not in cgi-bin

[Jean-Michel Dault]

If you haven't changed your httpd.conf, it should be on line 403. Change
it to: 
Options Indexes Includes FollowSymLinks ExecCGI

RedHat's configuration is pretty insecure by default and I have seen many
sites get hacked. On Mandrake, I made sure it was easy enough for
beginners, while secure.

By the way, don't **ever** put a cgi chmoded 777! It's world writable and
executable, and anyone with knowledge can take control of your cgis if you
do that. Please, chmod it to 755.

Jean-Michel
[EMAIL PROTECTED]

On Thu, 22 Jul 1999, Axalon wrote:

 Date: Thu, 22 Jul 1999 18:33:01 -0600 (MDT)
 From: Axalon [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: "[EMAIL PROTECTED]" [EMAIL PROTECTED]
 Subject: Re: [expert] apache 1.3.6 and .cgi scripts not in cgi-bin
 
 
 Make sure you have a "Options ExecCGI" in the section covering the
 directory in question.
 
 
 On Thu, 22 Jul 1999, Duncan Hall wrote:
 
  I've uncommented the line in httpd.conf
  
  # To use CGI scripts:
  AddHandler cgi-script .cgi
  
  I'm using apache-1.3.6-50mdk
  
  When I try to run a script that is not in the cgi-bin I get the following Error
  
  403
  
  Forbidden
  
  You don't have permission to access /Weekly/CHARTS/index.cgi on this server.
  
  To test it I have chmod 777 but still no luck.
  
  Before I get flamed about perl scripts not in cgi-bin, this script is on a secure 
intranet.
  
  It worked perfectly on redhat 5.2 with apache 1.3.2
  
  Any thoughts
  
  Dunc
  
  --
  //
  Duncan Hall
  SysAdmin/WebMaster
  Viator Systems [ http://www.viator.com ]
  ... e-commerce systems for the travel industry
  tel: +61 2 9361 6137 fax: +61 2 9360 9885
  -//