From owner-cvs-all  Thu May  9 17: 0:51 2002
Delivered-To: cvs-all@freebsd.org
Received: from mailgate.originative.com (mailgate.originative.com [195.149.39.165])
	by hub.freebsd.org (Postfix) with ESMTP
	id A705437B40B; Thu,  9 May 2002 17:00:44 -0700 (PDT)
Received: from lobster.originative.co.uk (lobster.originative.co.uk [62.232.68.81])
	by mailgate.originative.com (Postfix) with ESMTP
	id 799C31B24F; Fri, 10 May 2002 01:00:42 +0100 (BST)
Subject: Re: cvs commit: ports/www/apache13 Makefile
From: Paul Richards <paul@freebsd-services.com>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
In-Reply-To: <20020509192940.GA6915@nagual.pp.ru>
References: <200205090212.g492CF336407@freefall.freebsd.org>
	<1020956755.76738.59.camel@lobster.originative.co.uk> 
	<20020509192940.GA6915@nagual.pp.ru>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.4 
Date: 10 May 2002 01:00:42 +0100
Message-Id: <1020988842.45396.7.camel@lobster.originative.co.uk>
Mime-Version: 1.0
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Thu, 2002-05-09 at 20:29, Andrey A. Chernov wrote:
> On Thu, May 09, 2002 at 16:05:55 +0100, Paul Richards wrote:
> > On Thu, 2002-05-09 at 04:12, Andrey A. Chernov wrote:
> > > ache        2002/05/08 19:12:15 PDT
> > > 
> > >   Modified files:
> > >     www/apache13         Makefile 
> > >   Log:
> > >   chmod a+x cgi-bin.default example scripts
> > 
> > They are deliberately not executable when installed for security
> > reasons. They are just examples only.
> 
> There is no sense to keep non-working examples, it only confuse peoples.  
> There is no security issues with this two scripts.

Are you going to audit them for all future releases?

They also expose information about the server.

The key point though, is that the Apache project deliberately doesn't
install these so they can't possibly cause any problems. What benefit is
there to having these toy CGI examples actually work other than in
creating a potential security risk ?
 
-- 
Paul Richards                   |  FreeBSD DVD releases and merchandise.
FreeBSD Services Ltd            |  Hardware, support and development.
http://www.freebsd-services.com |  Domain names and mail/web hosting.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message