Index: [Article Count Order] [Thread]

Date:  Wed, 22 Feb 2006 01:03:22 +0900
From:  Hisao SHIBUYA <shibuya (at mark) alpha.or.jp>
Subject:  [coba-e:04144] Re: security-alert: Preview site
To:  coba-e (at mark) bluequartz.org
Message-Id:  <43FB39CA.3 (at mark) alpha.or.jp>
In-Reply-To:  <20060221145810.GA13638 (at mark) xs4all.nl>
References:  <20060221145810.GA13638 (at mark) xs4all.nl>
X-Mail-Count: 04144

Hi,

Exactly, preview sites isn't allowed cgi, ssi and php.
Easy fix is to allow cgi, ssi and php to all preview site, but I think this
has other issue. The virtual site isn't allowed php, but php works on
preview site url.

The work around is to write the following settings in
/etc/httpd/conf.d/server.conf
-----
AddHandler cgi-wrapper .cgi
AddHandler cgi-wrapper .pl
AddHandler server-parsed .shtml
AddType text/html .shtml
AddType application/x-httpd-php .php4
AddType application/x-httpd-php .php
-----
And restart httpd.
But, if you add new virtual site with preview site, server.conf will be
wrote again.

I'll fix this issue to make preview site with cgi, ssi and php settings same
as an original virtual site settings.

Regards,
Hisao


Maurice de Laat wrote:
> Hi,
> 
> When creating a virtual site on BQ, one can enable 'Preview Site 
> Configuration', which basicly allows one to preview the site on the 
> address http://ServerName/VsiteName
> 
> This settings allows to view php code.
> 
> If one puts in php scripts on the new virtual site, and access them by 
> using the preview-url, the clear php code (including passwords entered in 
> them) show up in a browser! Even if php is enabled on the main site.
> 
> Does anybody knows a way to close this hole?
> 
> Thank you