Apache 1.2 Questions: SSI security, encoding

Apache 1.2 Questions: SSI security, encoding

Post by Jon Ru » Sun, 06 Apr 1997 04:00:00



Apache 1.2b7, SGI indy 5.3

SSI Security:

I want my users to be able to use text-based counters. The only way I can
see to do this is with SSI and a simple perl script. Unfortunately, this
means allowing exec's. Any way to force SSI execs to be SetUID? If I want
text based counters, am I stuck with this security hole laying wide open?

Encoding:

I've asked before, but never got an answer. My conf/mime.types file reads

application/mac-binhex40        hqx

How come when I access an hqx file Apache throws a Content-Encoding header
in there with values that confuse Netscape's default settings:

Escape character is '^]'.
GET /filname.hqx HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 06 Apr 1997 01:22:12 GMT
Server: Apache/1.2b7
Connection: close
Content-Type: application/mac-binhex40
Content-Encoding: x-binhex    <----- Where did this come from???
Last-Modified: Tue, 28 Jan 1997 19:45:06 GMT
ETag: "3821-e03ff-32ee5742"
Content-Length: 918527
Accept-Ranges: bytes

Is there somewhere I can find this info out? The Apache home page, while
nice, is... ummm... a little thin on troubleshooting.

Jon

--
take the spam stopping .not out of my address before replying

 
 
 

Apache 1.2 Questions: SSI security, encoding

Post by Marc Slemk » Mon, 07 Apr 1997 05:00:00


[posted and mailed]


Quote:>Apache 1.2b7, SGI indy 5.3
>SSI Security:
>I want my users to be able to use text-based counters. The only way I can
>see to do this is with SSI and a simple perl script. Unfortunately, this
>means allowing exec's. Any way to force SSI execs to be SetUID? If I want
>text based counters, am I stuck with this security hole laying wide open?

You can have IncludesNOEXEC (which doesn't allow execution) and
should be able to use "include virtual" to include a CGI script
(which is setup to run as a CGI script elsewhere) in a system
directory that outputs the counter.  This prevents users from
executing their arbitrary CGI programs, but allows them to
include the output from them in their documents.

Quote:>Encoding:
>I've asked before, but never got an answer. My conf/mime.types file reads
>application/mac-binhex40        hqx
>How come when I access an hqx file Apache throws a Content-Encoding header
>in there with values that confuse Netscape's default settings:
>Escape character is '^]'.
>GET /filname.hqx HTTP/1.0
>HTTP/1.1 200 OK
>Date: Sun, 06 Apr 1997 01:22:12 GMT
>Server: Apache/1.2b7
>Connection: close
>Content-Type: application/mac-binhex40
>Content-Encoding: x-binhex    <----- Where did this come from???
>Last-Modified: Tue, 28 Jan 1997 19:45:06 GMT
>ETag: "3821-e03ff-32ee5742"
>Content-Length: 918527
>Accept-Ranges: bytes

You have probably added something to the config.  Look for any
AddEncoding lines in config files or .htaccess files and remove the
hqx one.

 
 
 

Apache 1.2 Questions: SSI security, encoding

Post by brian moo » Mon, 07 Apr 1997 05:00:00


[Posted and mailed]



Quote:> Apache 1.2b7, SGI indy 5.3

> SSI Security:

> I want my users to be able to use text-based counters. The only way I can
> see to do this is with SSI and a simple perl script. Unfortunately, this
> means allowing exec's. Any way to force SSI execs to be SetUID? If I want
> text based counters, am I stuck with this security hole laying wide open?

That's the hard way.  Look at mod_counter on the Apache site.  Combined
with XSSI, you can easily have text counters without Perl or any CGI.
(And text counters are a LOT prettier than the damned GIFs... blech.)

Quote:> Encoding:

Hrrrm.. that one is weird.  NFI, though I plan on playing with Apache
some this weekend.

--
Brian Moore                      The opinions expressed above are my own, not
Sysadmin, C/Perl Hacker          necesarily my employers'.

 
 
 

Apache 1.2 Questions: SSI security, encoding

Post by Jon Ru » Thu, 10 Apr 1997 04:00:00



> > I want my users to be able to use text-based counters. The only way I can
> > see to do this is with SSI and a simple perl script. Unfortunately, this
> > means allowing exec's. Any way to force SSI execs to be SetUID? If I want
> > text based counters, am I stuck with this security hole laying wide open?

> That's the hard way.  Look at mod_counter on the Apache site.  Combined
> with XSSI, you can easily have text counters without Perl or any CGI.
> (And text counters are a LOT prettier than the damned GIFs... blech.)

Hmmm... maybe I'm an idiot, but I sure don't see mod_counter in the list of
modules at the Apache site. I also didn't see it at the module repository.
Got a URL?

Thanks for the tip though,
Jon

 
 
 

Apache 1.2 Questions: SSI security, encoding

Post by brian moo » Fri, 11 Apr 1997 04:00:00





>> > I want my users to be able to use text-based counters. The only way I can
>> > see to do this is with SSI and a simple perl script. Unfortunately, this
>> > means allowing exec's. Any way to force SSI execs to be SetUID? If I want
>> > text based counters, am I stuck with this security hole laying wide open?

>> That's the hard way.  Look at mod_counter on the Apache site.  Combined
>> with XSSI, you can easily have text counters without Perl or any CGI.
>> (And text counters are a LOT prettier than the damned GIFs... blech.)

> Hmmm... maybe I'm an idiot, but I sure don't see mod_counter in the list of
> modules at the Apache site. I also didn't see it at the module repository.
> Got a URL?

http://www.galaxy.net/webcounter.html has it.  As a module you can do
nice simple things with SSI like:

        This page has been visited <!--#echo var="URL_COUNT"-->
        times.<br>

Cleaner than those damned gifs, though it will do gifs as well and comes
with a pile o' fonts.

--
Brian Moore                      The opinions expressed above are my own, not
Sysadmin, C/Perl Hacker          necesarily my employers'.

 
 
 

1. Apache 1.2.x and Transfer-Encoding

Is there a way to force Apache 1.2.x  to Chunk Transfer-Encode a HTTP
response?

I have only been able to get Apache to Chunk Transfer-Encode HTTP
responses from dynamic apps that do not specify a "Content-Length"
entity header.

Any help would be appreciated.  Thank you.


Ziff-Davis Benchmark Operation
WebBench Developer

2. 3D Software

3. SSI with regex, apache 1.2

4. Function arguments and quoting in Bourne-ish shells

5. Testers Wanted: "Popularity Contest" SSI Utility For Apache 1.2

6. TORONTO PERM JOB OPPORTUNITY: to $70,000 plus 15% bonus

7. Security Vulnerability in Apache Server Chunk Encoding (rev.7)

8. req help with IBM C++

9. Finding moved documents on your website (Apache 1.2 question?)

10. NCSA/Apache security: SSI cgi vs cmd

11. Apache SSI security hacks

12. Apache: mod_servlet for Apache 1.2?

13. upgrade from apache 1.1.3 to apache 1.2 fails