suggestion to inform about dangerous options for shared hostings

Discussion in 'General' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I'd vote for at least replacing
    Options Includes
    with
    IncludesNoExec

    while it might not ban the risk entirely there should be a hint that it is dangerous to use/make available to customers.
    http://httpd.apache.org/docs/2.4/misc/security_tips.html#ssi

    didn't test <--#include virtual="..." --> thing yet but I do see a lot of ppl installing some random piece of garbage software telling or at least leading them to chmod 777 just everything which ... yeah could be found by other hosts using some file traversel.

    Think of uploading custom-program-doing-traversel-and-stuff which sits in customers /var/www/foo-lder so suexec runs it without complaining et voila success I was able to tamper with that poor customer. Since I usually work in trusted/isolated environments never thought 'bout that but it's a serious issue.
    It works only trough ssi-exec though, running that php-script for example => nope doesn't work ... uhm yeah cgi-bin executing arbritary code same thing likely.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's a good Idea and we should change to the safer option.
     

Share This Page