Perl security

Discussion in 'General' started by xtian, Aug 25, 2009.

  1. xtian

    xtian New Member

    If one user installs a perl script in his cgi-bin (e.g. /web1/user1/), he as access to all other webs. This is a security risk - any idea how to prevent?
    (ispconfig 3,, Ubuntu 8.04.1 Hardy Heron)

    Perl sample to list all files in /var/www/

    print "Content-type: text/html\n\n";
    sub dir {
    	my $current_folder = shift;
    	my @all;
    	chdir($current_folder) or die("Cannot access folder $current_folder");
    	#Get the all files and folders in the given directory.
    	my @both = glob("*");
    	my @folders;
    	foreach my $item (@both) {
    		if(-d $item) { #Get all folders into another array - so that first the files will appear and then the folders.
    		} else { #If it is a file just put it into the final array.
    	foreach my $this_folder (@folders) {
    		#Add the directory name to the return list - comment the next line if you don't want this feature.
    		#Continue calling this function for all the folders
    		my $full_path = "$current_folder/$this_folder";
    		my @deep_items = dir($full_path); # :RECURSION:
    		foreach my $item (@deep_items) {
    	return @all;
    my @all  = dir("/var/www/");
    foreach my $item (@all) { 
    	print "--- $item <br>\n";
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Use the svn version from ispconfig which has a high security mode setting which should be able to prevent this. If this is a production server you should wait for the release, which will contain the new mode as well. Also make sure that you enabled suexec.

Share This Page