Vulnerability Development mailing list archives
RE: script locations (how to setuo scripts as any extention)
From: "Mr.P.Taylor" <petert () imagine-sw com>
Date: Mon, 11 Jun 2001 09:53:46 -0400
Am I missing something here or do you no longer have to be explicit in saying
<Directory "/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> ---snip----
Options ExecCGI ????
-----Original Message----- From: H D Moore [mailto:hdm () secureaustin com] Sent: Saturday, June 09, 2001 1:44 PM To: Alex Andrews; vuln-dev () securityfocus com Subject: Re: script locations (how to setuo scripts as any extention) This is all a bit OT but... There is another trick you can use to setup an entire directory structure that is parsed by the same script. I have yet to figure out how to do it to the root directory, although a redirect may possibly do it: application/x-httpd-php3 /fakedir Now create a script called 'fakedir' in your document root and use the $PATH_INFO environment variable to parse out what document was actually requested. If the "document" requested doesnt exist, you can return an exact replica of the 404 error page. This lets you do things like create an entire document tree which resides only in a database, most major news sites use a similar technique for storing articles online. For instance, a request like: /fakedir/somedoc54.html Could be parsed by your script to look up a database record with an index of 54, then format and return the page. -HD On Saturday 09 June 2001 04:59 am, Alex Andrews wrote:In my previous post, i mentioned how it is possible to setupcgi-bin styledirectories at any location, and run scripts from any fileextension. Thefollowing imforms you of how under Apache at least this is possible: 0) Standard Disclaimer Just to say use the techniques described here at your own risk. You have been told 1) Placing cgi-scripts anywhere The following is taken from my httpd.conf. ---snip--------- ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/" # # "/usr/local/apache/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> ---snip---- As we can see, you can make the script aliased CGI directory, ie the directory where the scripts are stored into anything, and becalled on thewebserver anything. Scripts will only be allowed here (unless...well see below) The syntax is: ScriptAlias < what shall the directory becalled onthe server ie /cgi-bin> <where is the directory, absolute path> For example, if i stored my scripts for some obscure reason in a directory called /usr/local/cgi, and wanted people to access scripts from http://www.myserver.com/script-fu/ i would do the following: ScriptAlias /script-fu/ "/usr/local/cgi" Then add the following access restrictions to the directory: <Directory "/script-fu"> AllowOverride None Options None Order allow,deny Allow from all </Directory> Easy huh! I havent tested this, but in theroy you could evenmake the rootof your web server scriptable (make the htdocs directory the same as the script alias) But this is only the start, infact you can easily allow a script to be executed anywhere, in or out of the cgi-bin alikedirectory,by using the AddHandler. The format of the command is simple: AddHandler <what handler> <extension> So if i want to execute my perl anywhere i do this: AddHandler cgi-script .cgi And voila! It's done obviously! I can add as many differentextensions as Ilike for it. So if i want scripts with .ale extensions to workanywhere ican. AddHandler cgi-script .cgi .ale 2) Make the server parse any document for php/ssi/whatever First lets deal with server side parsing languages, php as the example here. When we install php we add the following lines to whereever the mimetypes are stored for apache (in httpd.conf for me): AddType application/x-httpd-php3 .phpAddTypeapplication/x-httpd-php3-source .phpsThere is nothing to stop you allowing php to be parsed from anyextensionyou desire. So if want php to be parse out of the much used.ale extensioni simply do this: AddType application/x-httpd-php3 .php .ale AddType application/x-httpd-php3-source .phps .ale The syntax is then AddType <type> <extension> <extensions>.Although I haveno experience, the documentation suggests that anyother server side scripting language can be set in a similar manner. Now letsdeal with thoseSSI pages, the following lines of the httpd.conf, deal withthis aspect ofthe server: AddType text/html .shtml AddHandler server-parsed .shtml Obviously these two varibles can also be changed. If I wantedto make all.ale pages ssi parsed i would do the following. AddType text/html .ale AddHandler server-parsed .ale So: AddType <mime type> <extensions> AddHandler <what handler> <extensions> 4) Links The Apache Project Homepage which includes complete documentation: http://www.apache.org The PHP scripting language homepage: http://www.php.net And there we go, thats it, if i managed to keep your attention this far, you are a better person than me. Thanks for your time Alex ------- An unexamined life is not worth living --
Current thread:
- RE: script locations (how to setuo scripts as any extention) Alex Andrews (Jun 09)
- Re: script locations (how to setuo scripts as any extention) H D Moore (Jun 09)
- RE: script locations (how to setuo scripts as any extention) Mr.P.Taylor (Jun 11)
- Re: script locations (how to setuo scripts as any extention) H D Moore (Jun 09)