#1  
Old 25th August 2009, 14:43
xtian xtian is offline
Junior Member
 
Join Date: Aug 2009
Posts: 1
Thanks: 1
Thanked 0 Times in 0 Posts
Default Perl security

If one user installs a perl script in his cgi-bin (e.g. /web1/user1/), he as access to all other webs. This is a security risk - any idea how to prevent?
(ispconfig 3, 3.0.1.3, Ubuntu 8.04.1 Hardy Heron)

Perl sample to list all files in /var/www/

Code:
#!/usr/bin/perl
 
print "Content-type: text/html\n\n";

sub dir {
	my $current_folder = shift;
	my @all;

	chdir($current_folder) or die("Cannot access folder $current_folder");

	#Get the all files and folders in the given directory.
	my @both = glob("*");

	my @folders;
	foreach my $item (@both) {
		if(-d $item) { #Get all folders into another array - so that first the files will appear and then the folders.
			push(@folders,$item);
		} else { #If it is a file just put it into the final array.
			push(@all,$item);
		}
	}

	foreach my $this_folder (@folders) {
		#Add the directory name to the return list - comment the next line if you don't want this feature.
		push(@all,"$this_folder/");

		#Continue calling this function for all the folders
		my $full_path = "$current_folder/$this_folder";

		my @deep_items = dir($full_path); # :RECURSION:
		foreach my $item (@deep_items) {
			push(@all,"$this_folder/$item");
		}
	}
	return @all;
}

my @all  = dir("/var/www/");
foreach my $item (@all) { 
	print "--- $item <br>\n";
}
Reply With Quote
Sponsored Links
  #2  
Old 25th August 2009, 14:51
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,214 Times in 4,089 Posts
 
Default

Use the svn version from ispconfig which has a high security mode setting which should be able to prevent this. If this is a production server you should wait for the 3.0.1.4 release, which will contain the new mode as well. Also make sure that you enabled suexec.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
xtian (25th August 2009)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 08:20
Runaway Perl aws910 Server Operation 2 19th November 2007 17:24
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 08:57
Perl and cgi script installation linuxuser1 General 30 26th April 2006 23:09
Perl non-printable chars and unwanted formatting spinoza Programming/Scripts 4 1st April 2006 20:30


All times are GMT +2. The time now is 22:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.