CGI Security

Discussion in 'Installation/Configuration' started by alexillsley, May 14, 2007.

  1. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Hi,
    How can stop people from creating a cgi script like this one i created below which gets the contents of /etc/passwd ? Can i jail CGI somehow?

    test.cgi
    Code:
    #!/bin/bash
     
    echo "Content-Type: text/plain"
    echo ""
    cat /etc/passwd
    Thanks,
    Alex
     
  2. falko

    falko Super Moderator ISPConfig Developer

  3. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

  4. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I know, suphp is also able to run cgi scripts (not just php scripts) under the correct user and chroot them.
     
  6. alexillsley

    alexillsley ISPConfig Developer ISPConfig Developer

    Hi,
    Sounds good :) is there a tutorial anywhere about howto chroot CGI scripts with suphp? I will have to remove CGI access otherwise:(

    Thanks,
    Alex
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I'am not aware of a tutorial. But you should get it to work with the suphp manual as well as it documents all configuration options incl. chrooting.
     

Share This Page