RE: script locations (how to setuo scripts as any extention)

["Mr.P.Taylor" <petert () imagine-sw com>]

Am I missing something here or do you no longer have to be explicit
in saying
> > <Directory "/cgi-bin">
> >     AllowOverride None
> >     Options None
> >     Order allow,deny
> >     Allow from all
> > </Directory>
> > ---snip----

Options ExecCGI


????


> -----Original Message-----
> From: H D Moore [mailto:hdm () secureaustin com]
> Sent: Saturday, June 09, 2001 1:44 PM
> To: Alex Andrews; vuln-dev () securityfocus com
> Subject: Re: script locations (how to setuo scripts as any extention)
>
>
> This is all a bit OT but...
>
> There is another trick you can use to setup an entire directory structure
> that is parsed by the same script.  I have yet to figure out how
> to do it to
> the root directory, although a redirect may possibly do it:
>
> application/x-httpd-php3 /fakedir
>
> Now create a script called 'fakedir' in your document root and use the
> $PATH_INFO environment variable to parse out what document was actually
> requested.  If the "document" requested doesnt exist, you can
> return an exact
> replica of the 404 error page.  This lets you do things like
> create an entire
> document tree which resides only in a database, most major news
> sites use a
> similar technique for storing articles online. For instance, a
> request like:
>
> /fakedir/somedoc54.html
>
> Could be parsed by your script to look up a database record with
> an index of
> 54, then format and return the page.
>
> -HD
>
>
>
> On Saturday 09 June 2001 04:59 am, Alex Andrews wrote:
> > In my previous post, i mentioned how it is possible to setup
> cgi-bin style
> > directories at any location, and run scripts from any file
> extension. The
> > following imforms you of how under Apache at least this is possible:
> >
> >
> > 0) Standard Disclaimer
> > Just to say use the techniques described here at your own risk. You have
> > been told
> >
> > 1) Placing cgi-scripts anywhere
> >
> > The following is taken from my httpd.conf.
> >
> > ---snip---------
> > ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
> >
> > #
> > # "/usr/local/apache/cgi-bin" should be changed to whatever your
> > ScriptAliased # CGI directory exists, if you have that configured.
> > #
> > <Directory "/cgi-bin">
> >     AllowOverride None
> >     Options None
> >     Order allow,deny
> >     Allow from all
> > </Directory>
> > ---snip----
> >
> > As we can see, you can make the script aliased CGI directory, ie the
> > directory where the scripts are stored into anything, and be
> called on the
> > webserver anything. Scripts will only be allowed here (unless...well see
> > below) The syntax is: ScriptAlias < what shall the directory be
> called on
> > the server ie /cgi-bin> <where is the directory, absolute path> For
> > example, if i stored my scripts for some obscure reason in a directory
> > called /usr/local/cgi, and wanted people to access scripts from
> > http://www.myserver.com/script-fu/ i would do the following: ScriptAlias
> > /script-fu/ "/usr/local/cgi"
> > Then add the following access restrictions to the directory:
> > <Directory "/script-fu">
> >     AllowOverride None
> >     Options None
> >     Order allow,deny
> >     Allow from all
> > </Directory>
> > Easy huh! I havent tested this, but in theroy you could even
> make the root
> > of your web server scriptable (make the htdocs directory the same as the
> > script alias) But this is only the start, infact you can easily allow a
> > script to be executed anywhere, in or out of the cgi-bin alike
> directory,
> > by using the AddHandler. The format of the command is simple: AddHandler
> > <what handler> <extension>
> > So if i want to execute my perl anywhere i do this:
> > AddHandler cgi-script .cgi
> > And voila! It's done obviously! I can add as many different
> extensions as I
> > like for it. So if i want scripts with .ale extensions to work
> anywhere i
> > can. AddHandler cgi-script .cgi .ale
> >
> > 2) Make the server parse any document for php/ssi/whatever
> >
> > First lets deal with server side parsing languages, php as the example
> > here. When we install php we add the following lines to where
> ever the mime
> > types are stored for apache (in httpd.conf for me): AddType
> > application/x-httpd-php3 .phpAddType
> application/x-httpd-php3-source .phps
> > There is nothing to stop you allowing php to be parsed from any
> extension
> > you desire. So if want php to be parse out of the much used
> .ale extension
> > i simply do this: AddType application/x-httpd-php3 .php .ale
> > AddType application/x-httpd-php3-source .phps .ale
> > The syntax is then AddType <type> <extension> <extensions>.
> Although I have
> > no experience, the documentation suggests that anyother server side
> > scripting language can be set in a similar manner. Now lets
> deal with those
> > SSI pages, the following lines of the httpd.conf, deal with
> this aspect of
> > the server: AddType text/html .shtml
> > AddHandler server-parsed .shtml
> > Obviously these two varibles can also be changed. If I wanted
> to make all
> > .ale pages ssi parsed i would do the following. AddType text/html .ale
> > AddHandler server-parsed .ale
> > So:
> > AddType <mime type> <extensions>
> > AddHandler <what handler> <extensions>
> >
> > 4) Links
> >
> > The Apache Project Homepage which includes complete documentation:
> > http://www.apache.org The PHP scripting language homepage:
> > http://www.php.net
> >
> >
> > And there we go, thats it, if i managed to keep your attention this far,
> > you are a better person than me.
> >
> > Thanks for your time
> > Alex
> >
> > -------
> > An unexamined life is not worth living
> > --