We can have a CGI script executed without having to bother with AddHandler, SetHandler, or ExecCGI. The file exec.shtml contains:
<!--#config errmsg="Bungled again!"--> We're now going to execute 'cmd="ls -l"'': << <!--#exec cmd="ls -l"--> >> and now /usr/www/cgi-bin/mycgi.cgi: << <!--#exec cgi="cgi-bin/mycgi.cgi"--> >> and now the 'virtual' option: << <!--#include virtual="cgi-bin/mycgi.cgi"--> >> That was it.
There are two attributes available to exec: cgi and cmd. The difference is that cgi needs a URL (in this case /cgi-bin/mycgi.cgi, set up by the ScriptAlias line in the Config file) and is protected by suEXEC if configured, whereas cmd will execute anything.
There is a third way of executing a file, namely, through the virtual attribute to the include command. When we select exec.shtml from the browser, we get this result:
We're now going to execute 'cmd="ls -l"'': << total 24 -rw-rw-r-- 1 414 xten 39 Oct 8 08:33 another_file -rw-rw-r-- 1 414 xten 106 Nov 11 1997 echo.shtml -rw-rw-r-- 1 414 xten 295 Oct 8 10:52 exec.shtml -rw-rw-r-- 1 414 xten 174 Nov 11 1997 include.shtml -rw-rw-r-- 1 414 xten 206 Nov 11 1997 size.shtml -rw-rw-r-- 1 414 xten 269 Nov 11 1997 time.shtml >> and now /usr/www/cgi-bin/mycgi.cgi: << Have a nice day >> and now the 'virtual' option: << Have a nice day >> That was it.
A prudent webmaster should view the cmd and cgi options with grave suspicion, since they let writers of SSIs give both themselves and outsiders dangerous access. However, if he or she uses Options +IncludesNOEXEC in the Config file, the problem goes away:
We're now going to execute 'cmd="ls -l"'': << Bungled again! >> and now /usr/www/cgi-bin/mycgi.cgi: << Bungled again! >> and now the 'virtual' option: << Have a nice day >> That was it.
Now, nothing can be executed through an SSI that couldn't be executed directly through a browser, with all the control that implies for the webmaster. (You might think that exec cgi= would be the way to do this, but it seems that some question of backward compatibility intervenes.)
Apache 1.3 introduced the improvement that buffers containing the output of CGI scripts are flushed and sent to the client whenever the buffer has something in it and the server is waiting.
Copyright © 2001 O'Reilly & Associates. All rights reserved.