Restricting Program Execution


CGI programs can be a security risk. It is advisable that you disable CGI execution or at least restrict it to specific directories. For that purpose, do not use AddHandler directives to globally enable CGI execution of certain file extensions.

Similarly, mod_include allows execution of CGIs and external commands using Server Side Includes. They are disabled by default by the Options -IncludesNoExec directive. If possible, make sure that the directories containing CGI scripts are writable only by the superuser and not by anyone else, and especially not by the user Apache is running as.

On a related note, you should make sure that, whenever possible, the document tree is read only. This will prevent an attacker from creating a file that can later be executed. An example of this would be to introduce a file containing PHP code in a PHP-enabled server. Also, make sure to password-protect DAV-enabled directories and do not make website contents available through other services such as FTP.




Apache(c) Phrase Book(c) Essential Code and Commands
Apache Phrasebook
ISBN: 0672328364
EAN: 2147483647
Year: 2006
Pages: 254

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net