HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Perl security (http://www.howtoforge.com/forums/showthread.php?t=38493)

xtian 25th August 2009 14:43

Perl security
 
If one user installs a perl script in his cgi-bin (e.g. /web1/user1/), he as access to all other webs. This is a security risk - any idea how to prevent?
(ispconfig 3, 3.0.1.3, Ubuntu 8.04.1 Hardy Heron)

Perl sample to list all files in /var/www/

Code:

#!/usr/bin/perl
 
print "Content-type: text/html\n\n";

sub dir {
        my $current_folder = shift;
        my @all;

        chdir($current_folder) or die("Cannot access folder $current_folder");

        #Get the all files and folders in the given directory.
        my @both = glob("*");

        my @folders;
        foreach my $item (@both) {
                if(-d $item) { #Get all folders into another array - so that first the files will appear and then the folders.
                        push(@folders,$item);
                } else { #If it is a file just put it into the final array.
                        push(@all,$item);
                }
        }

        foreach my $this_folder (@folders) {
                #Add the directory name to the return list - comment the next line if you don't want this feature.
                push(@all,"$this_folder/");

                #Continue calling this function for all the folders
                my $full_path = "$current_folder/$this_folder";

                my @deep_items = dir($full_path); # :RECURSION:
                foreach my $item (@deep_items) {
                        push(@all,"$this_folder/$item");
                }
        }
        return @all;
}

my @all  = dir("/var/www/");
foreach my $item (@all) {
        print "--- $item <br>\n";
}


till 25th August 2009 14:51

Use the svn version from ispconfig which has a high security mode setting which should be able to prevent this. If this is a production server you should wait for the 3.0.1.4 release, which will contain the new mode as well. Also make sure that you enabled suexec.


All times are GMT +2. The time now is 03:58.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.