Thread: Perl security
View Single Post
  #1  
Old 25th August 2009, 15:43
xtian xtian is offline
Junior Member
 
Join Date: Aug 2009
Posts: 1
Thanks: 1
Thanked 0 Times in 0 Posts
Default Perl security

If one user installs a perl script in his cgi-bin (e.g. /web1/user1/), he as access to all other webs. This is a security risk - any idea how to prevent?
(ispconfig 3, 3.0.1.3, Ubuntu 8.04.1 Hardy Heron)

Perl sample to list all files in /var/www/

Code:
#!/usr/bin/perl
 
print "Content-type: text/html\n\n";

sub dir {
	my $current_folder = shift;
	my @all;

	chdir($current_folder) or die("Cannot access folder $current_folder");

	#Get the all files and folders in the given directory.
	my @both = glob("*");

	my @folders;
	foreach my $item (@both) {
		if(-d $item) { #Get all folders into another array - so that first the files will appear and then the folders.
			push(@folders,$item);
		} else { #If it is a file just put it into the final array.
			push(@all,$item);
		}
	}

	foreach my $this_folder (@folders) {
		#Add the directory name to the return list - comment the next line if you don't want this feature.
		push(@all,"$this_folder/");

		#Continue calling this function for all the folders
		my $full_path = "$current_folder/$this_folder";

		my @deep_items = dir($full_path); # :RECURSION:
		foreach my $item (@deep_items) {
			push(@all,"$this_folder/$item");
		}
	}
	return @all;
}

my @all  = dir("/var/www/");
foreach my $item (@all) { 
	print "--- $item <br>\n";
}
Reply With Quote
Sponsored Links