Bug 57777 - Security concerns with documentation of AddHandler (and multiple file extensions)
Summary: Security concerns with documentation of AddHandler (and multiple file extensi...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-30 00:58 UTC by sebastian
Modified: 2016-02-08 08:50 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sebastian 2015-03-30 00:58:33 UTC
The latest official docs on AddHandler at [1] list

  AddHandler cgi-script .cgi

for an example.  Why use something as dangerous for an example?
A few lines below, the user is pointed to notes on multiple file extensions at [2]
but no mention of "security" and no example of an attack scenario
with remote code execution from a user file upload form.

The official FAQ at [3] mentions "AddHandler cgi-script .cgi", too.  Why?

The multiple file extension approach of AddHandler seems to be widely unknown:
Dangerous guides enabling CGI or PHP execution using AddHandler can be found all
accross the internet, including documentation of webhosters and large Linux distributions.
Therefore I believe Apache users need all the help they can get from the official
documentation understanding that AddHandler is dangerous to use in many cases.

Ideally, also add a big graphic warning sign in the docs to AddHandler
and/or boldly discourage its use altogether.  That would rock the house.

Thanks in advance!


[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
[3] https://wiki.apache.org/httpd/FAQ#How_do_I_enable_CGI_execution_in_directories_other_than_the_ScriptAlias.3F

PS: Bug #57584 is related and has my full support.
Comment 1 Luca Toscano 2016-01-15 06:03:24 UTC
Definitely something to change, injecting files and then get them executed is not really good. I really hope that in 2016 few people are still using mod_cgi, but improving the documentation is always a good thing.

I am not an expert though about the correct settings to secure a configuration like this one (except careful validation of the files received and Options -ExecCGI in the appropriate folders), do you have any suggestion to speed up the resolution of the bug?

Thanks!

Luca
Comment 2 Luca Toscano 2016-02-08 08:50:42 UTC
Adding another possible candidate to fix/update:

https://httpd.apache.org/docs/2.4/misc/security_tips.html#cgi