Disable all CGI, mod_perl, PHP etc?

I have a directory that can be seen with Fancy Index. It is the sort
of place where anyone can place any file, including a .php file or a
..mpl file or a .cgi file etc. I do not want them to execute. Just to
be seen.

My directive is as follows:


Options Indexes MultiViews
AllowOverride None
Order allow,deny
Options -ExecCGI
Allow from all


That -ExecCGI does not work. I want a bulletproof way of saying that
nothing should be executed, no PHP, perl, CGI etc.

How can I do it.

i

Re: Disable all CGI, mod_perl, PHP etc?

On Jun 20, 2:17 pm, Ignoramus26157 26157.invalid> wrote:
> I have a directory that can be seen with Fancy Index. It is the sort
> of place where anyone can place any file, including a .php file or a
> .mpl file or a .cgi file etc. I do not want them to execute. Just to
> be seen.
>
> My directive is as follows:
>
>
> Options Indexes MultiViews
> AllowOverride None
> Order allow,deny
> Options -ExecCGI
> Allow from all
>
>
> That -ExecCGI does not work. I want a bulletproof way of saying that
> nothing should be executed, no PHP, perl, CGI etc.
>
> How can I do it.
>
> i

you can stop execution by removing the server-parsed handler for these
files.
http://httpd.apache.org/docs/1.3/mod/mod_mime.html#removehan dler

however what if someone uploads a plain text / html file with markup
or javascript inside, you are still vulnerable to cross site scripting
attacks, my advice is to keep all uploads in a folder not under the
document root, and provide access to download these files through a
script which reads out the contents and sends an content-dispostion
header which forces a download.

Re: Disable all CGI, mod_perl, PHP etc?

Post removed (X-No-Archive: yes)

Re: Disable all CGI, mod_perl, PHP etc?

On Wed, 20 Jun 2007 19:40:22 +0200, Davide Bianchi wrote:
> On 2007-06-20, shimmyshack wrote:
>> , my advice is to keep all uploads in a folder not under the
>> document root, and provide access to download these files through a
>> script which reads out the contents and sends an content-dispostion
>> header which forces a download.
>
> In addition to that, if you can, use a different partition mounted
> with the 'no-executable' permissions.

I believe that mod_perl does not require executable permissions. I
would surmise that the same applies to PHP.

i

Re: Disable all CGI, mod_perl, PHP etc?

On Wed, 20 Jun 2007 17:04:39 -0000, shimmyshack wrote:
> On Jun 20, 2:17 pm, Ignoramus26157 > 26157.invalid> wrote:
>> I have a directory that can be seen with Fancy Index. It is the sort
>> of place where anyone can place any file, including a .php file or a
>> .mpl file or a .cgi file etc. I do not want them to execute. Just to
>> be seen.
>>
>> My directive is as follows:
>>
>>
>> Options Indexes MultiViews
>> AllowOverride None
>> Order allow,deny
>> Options -ExecCGI
>> Allow from all
>>
>>
>> That -ExecCGI does not work. I want a bulletproof way of saying that
>> nothing should be executed, no PHP, perl, CGI etc.
>>
>> How can I do it.
>>
>> i
>
> you can stop execution by removing the server-parsed handler for these
> files.
> http://httpd.apache.org/docs/1.3/mod/mod_mime.html#removehan dler

So, it seems that here I have to specify extensions? (.cgi, .php, .mpl
come to mind). How can I make sure that the list is exhaustive?

> however what if someone uploads a plain text / html file with markup
> or javascript inside, you are still vulnerable to cross site scripting
> attacks, my advice is to keep all uploads in a folder not under the
> document root, and provide access to download these files through a
> script which reads out the contents and sends an content-dispostion
> header which forces a download.

I am not worried about XSS, this is a work situation.

i

Re: Disable all CGI, mod_perl, PHP etc?

On Jun 20, 7:10 pm, Ignoramus26157 26157.invalid> wrote:
> On Wed, 20 Jun 2007 17:04:39 -0000, shimmyshack wrote:
> > On Jun 20, 2:17 pm, Ignoramus26157 > > 26157.invalid> wrote:
> >> I have a directory that can be seen with Fancy Index. It is the sort
> >> of place where anyone can place any file, including a .php file or a
> >> .mpl file or a .cgi file etc. I do not want them to execute. Just to
> >> be seen.
>
> >> My directive is as follows:
>
> >>
> >> Options Indexes MultiViews
> >> AllowOverride None
> >> Order allow,deny
> >> Options -ExecCGI
> >> Allow from all
> >>
>
> >> That -ExecCGI does not work. I want a bulletproof way of saying that
> >> nothing should be executed, no PHP, perl, CGI etc.
>
> >> How can I do it.
>
> >> i
>
> > you can stop execution by removing the server-parsed handler for these
> > files.
> >http://httpd.apache.org/docs/1.3/mod/mod_mime.html#removeha ndler
>
> So, it seems that here I have to specify extensions? (.cgi, .php, .mpl
> come to mind). How can I make sure that the list is exhaustive?
>
> > however what if someone uploads a plain text / html file with markup
> > or javascript inside, you are still vulnerable to cross site scripting
> > attacks, my advice is to keep all uploads in a folder not under the
> > document root, and provide access to download these files through a
> > script which reads out the contents and sends an content-dispostion
> > header which forces a download.
>
> I am not worried about XSS, this is a work situation.
>
> i

provided your intranet (what I assume you mean) is not compromised via
your web browsing (there are a number of ways to trverse an intranet
via someone with local access from outside the LAN), it is true, xss
is somewhat limited in scope.

the number of extensions which yuor install of apache will send
through to some kind of parser, pl php, will be limited by the
installation you have, there won't be too many extensions. However
some kinds of files can contain php and other embedded code, so they
could also end up being parsed. (See embedded code in jpeg meta
headers for instance) so include those as well just to be sure.
If you write a "download" script you get all this for free, so that is
my advice, and as I say placing the files in a NON public location is
best practise.

Re: Disable all CGI, mod_perl, PHP etc?

On Wed, 20 Jun 2007 18:25:30 -0000, shimmyshack wrote:
> provided your intranet (what I assume you mean) is not compromised via
> your web browsing (there are a number of ways to trverse an intranet
> via someone with local access from outside the LAN), it is true, xss
> is somewhat limited in scope.
>
> the number of extensions which yuor install of apache will send
> through to some kind of parser, pl php, will be limited by the
> installation you have, there won't be too many extensions. However
> some kinds of files can contain php and other embedded code, so they
> could also end up being parsed. (See embedded code in jpeg meta
> headers for instance) so include those as well just to be sure.
> If you write a "download" script you get all this for free, so that is
> my advice, and as I say placing the files in a NON public location is
> best practise.
>

Actually, RemoveHandler does NOT work. I just tried:

....
RemoveHandler .mpl
RemoveHandler .cgi
RemoveHandler .php


At this point I would like to repeat my question, how can I disable
handling server side scripts for a given directory.

I am not interested in disabling client side scripts at this point.

i

Re: Disable all CGI, mod_perl, PHP etc?

Since I did not receive a working answer... A little more details...

What that directory is for, is for files that my webserver downloads
from other machines, that contain certain useful information that my
server analyzes. Displaying them on the webserver is a extra service
of minor importance, compared to download and analysis.

So I added an extra filter to the downloader script, so that it
refuses to download files with extentions (non-case-sensitive) sh, pl,
cgi, php, py, mpl.

That's not an ideal solution. The ideal solution would be to specify
to the webserver "do not execute anything from this directory". But it
is a start.

i

Re: Disable all CGI, mod_perl, PHP etc?

"Ignoramus26157" schreef in bericht
news:wtmdnTLHc8yctOTbnZ2dnUVZ_gGdnZ2d@giganews.com...
>
> Options Indexes MultiViews
> AllowOverride None
> Order allow,deny
> Options -ExecCGI
> Allow from all
>
>
> That -ExecCGI does not work. I want a bulletproof way of saying that
> nothing should be executed, no PHP, perl, CGI etc.
>
I do not feel comfortable with the Options directive being used TWICE in a
single container. Just try
Options +Indexes +MultiViews -ExecCGI

HansH

Re: Disable all CGI, mod_perl, PHP etc?

On Jun 20, 7:48 pm, Ignoramus26157 26157.invalid> wrote:
> Since I did not receive a working answer... A little more details...
>
> What that directory is for, is for files that my webserver downloads
> from other machines, that contain certain useful information that my
> server analyzes. Displaying them on the webserver is a extra service
> of minor importance, compared to download and analysis.
>
> So I added an extra filter to the downloader script, so that it
> refuses to download files with extentions (non-case-sensitive) sh, pl,
> cgi, php, py, mpl.
>
> That's not an ideal solution. The ideal solution would be to specify
> to the webserver "do not execute anything from this directory". But it
> is a start.
>
> i

how about
ForceType text/plain