We can have a CGI script executed without having to bother with AddHandler, SetHandler, or ExecCGI. The file exec.shtml contains the following:
<!--#config errmsg="Bungled again!"--> We're now going to execute 'cmd="ls -l"'': << <!--#exec cmd="ls -l"--> >> and now /usr/www/APACHE3/cgi-bin/mycgi.cgi: << <!--#exec cgi="/cgi-bin/mycgi.cgi"--> >> and now the 'virtual' option: << <!--#include virtual="/cgi-bin/mycgi.cgi"--> >> That was it.
There are two attributes available to exec: cgi and cmd. The difference is that cgi needs a URL (in this case /cgi-bin/mycgi.cgi, set up by the ScriptAlias line in the Config file) and is protected by suEXEC if configured, whereas cmd will execute anything.
There is a third way of executing a file, namely, through the virtual attribute to the include command. When we select exec.shtml from the browser, we get this result:
We're now going to execute 'cmd="ls -l"'': << total 24 -rw-rw-r-- 1 414 xten 39 Oct 8 08:33 another_file -rw-rw-r-- 1 414 xten 106 Nov 11 1997 echo.shtml -rw-rw-r-- 1 414 xten 295 Oct 8 10:52 exec.shtml -rw-rw-r-- 1 414 xten 174 Nov 11 1997 include.shtml -rw-rw-r-- 1 414 xten 206 Nov 11 1997 size.shtml -rw-rw-r-- 1 414 xten 269 Nov 11 1997 time.shtml >> and now /usr/www/APACHE3/cgi-bin/mycgi.cgi: << Have a nice day >> and now the 'virtual' option: << Have a nice day >> That was it.
A prudent webmaster should view the cmd and cgi options with grave suspicion, since they let writers of SSIs give both themselves and outsiders dangerous access. However, if he uses Options +IncludesNOEXEC in conf/httpd2.conf, stops Apache, and restarts with ./go 2, the problem goes away:
We're now going to execute 'cmd="ls -l"'': << Bungled again! >> and now /usr/www/APACHE3/cgi-bin/mycgi.cgi: << Bungled again! >> and now the 'virtual' option: << Have a nice day >> That was it.
Now, nothing can be executed through an SSI that couldn't be executed directly through a browser, with all the control that this implies for the webmaster. (You might think that exec cgi= would be the way to do this, but it seems that some question of backward compatibility intervenes.)
Apache 1.3 introduced the following improvement: buffers containing the output of CGI scripts are flushed and sent to the client whenever the buffer has something in it and the server is waiting.
Copyright © 2003 O'Reilly & Associates. All rights reserved.