Is there a way to block server side includes running "cmd", and
only allowing "cgi" ?
I bet lots of sites have restricted cgi directories but allow any
command to be executed via a "cmd" include.
If there's no way to block "cmd" while allowing "cgi", then Apache
should be fixed.
With so many sites allowing people to submit html (e.g. hyperreal and
our mailing list), there's a potential security hole here, just waiting
to be exploited.
robh
only allowing "cgi" ?
I bet lots of sites have restricted cgi directories but allow any
command to be executed via a "cmd" include.
If there's no way to block "cmd" while allowing "cgi", then Apache
should be fixed.
With so many sites allowing people to submit html (e.g. hyperreal and
our mailing list), there's a potential security hole here, just waiting
to be exploited.
robh