Perl security

Discussion in 'General' started by xtian, Aug 25, 2009.

  1. xtian

    xtian New Member

    If one user installs a perl script in his cgi-bin (e.g. /web1/user1/), he as access to all other webs. This is a security risk - any idea how to prevent?
    (ispconfig 3, 3.0.1.3, Ubuntu 8.04.1 Hardy Heron)

    Perl sample to list all files in /var/www/

    Code:
    #!/usr/bin/perl
     
    print "Content-type: text/html\n\n";
    
    sub dir {
    	my $current_folder = shift;
    	my @all;
    
    	chdir($current_folder) or die("Cannot access folder $current_folder");
    
    	#Get the all files and folders in the given directory.
    	my @both = glob("*");
    
    	my @folders;
    	foreach my $item (@both) {
    		if(-d $item) { #Get all folders into another array - so that first the files will appear and then the folders.
    			push(@folders,$item);
    		} else { #If it is a file just put it into the final array.
    			push(@all,$item);
    		}
    	}
    
    	foreach my $this_folder (@folders) {
    		#Add the directory name to the return list - comment the next line if you don't want this feature.
    		push(@all,"$this_folder/");
    
    		#Continue calling this function for all the folders
    		my $full_path = "$current_folder/$this_folder";
    
    		my @deep_items = dir($full_path); # :RECURSION:
    		foreach my $item (@deep_items) {
    			push(@all,"$this_folder/$item");
    		}
    	}
    	return @all;
    }
    
    my @all  = dir("/var/www/");
    foreach my $item (@all) { 
    	print "--- $item <br>\n";
    }
    
    
     
  2. till

    till Super Moderator

    Use the svn version from ispconfig which has a high security mode setting which should be able to prevent this. If this is a production server you should wait for the 3.0.1.4 release, which will contain the new mode as well. Also make sure that you enabled suexec.
     

Share This Page