tech-pkg: apache and scripts in libexec/cgi-bin

Subject: apache and scripts in libexec/cgi-bin
To: None <tech-pkg@netbsd.org>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: tech-pkg
Date: 11/14/2002 11:09:52

I ran nessus against my web server and got this:
> Warning found on port https (443/tcp)
>
> The 'printenv' CGI is installed.
> printenv normally returns all environment variables.
>
> This gives an attacker valuable information about the
> configuration of your web server.
>
> Solution : Remove it from /cgi-bin.
>
> Risk factor : Medium
I think we can install the default scripts but they should not
be executable. Any objections if I commit something like this
to www/apache and www/apache6:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/apache/Makefile,v
retrieving revision 1.110
diff -u -r1.110 Makefile
--- Makefile	2002年10月25日 09:00:29	1.110
+++ Makefile	2002年11月14日 09:05:44
@@ -188,6 +188,7 @@
 		${RM} -f ${PKG_SYSCONFDIR}/$${file}.default;		\
 	done
 	${INSTALL_DATA} ${DISTDIR}/sitedrivenby.gif ${PREFIX}/share/httpd/htdocs
+	${CHMOD} 0 libexec/cgi-bin/printenv libexec/cgi-bin/test-cgi
 .include "../../devel/libmm/buildlink2.mk"
 .include "../../textproc/expat/buildlink2.mk"
Martti
---
Martti Kuparinen <martti.kuparinen@iki.fi> NetBSD - No media hype
http://www.iki.fi/kuparine/ http://www.netbsd.org/