60402 – ScriptAlias works as Alias when mod_cgi is not load

Bug 60402 - ScriptAlias works as Alias when mod_cgi is not load

Summary: ScriptAlias works as Alias when mod_cgi is not load

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_alias (show other bugs)
Version:	2.4.10
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-22 16:59 UTC by Victor Porton
Modified:	2016-11-22 17:40 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Porton 2016-11-22 16:59:17 UTC

ScriptAlias works as if it were Alias when mod_cgi is not load.

This is a security hole as the visitor receives access to CGI files (which may contain passwords and other secret information), when mod_cgi is not load by mistake.

Instead ScriptAlias should fail with an error when mod_cgi isn't load.

Apache/2.4.10 (Debian)

Format For Printing
- XML
- Clone This Bug
- Top of page