Good Day. I have recently been put in charge of managing a web server and I am not very familiar with Apache, or web servers in general, so please forgive my ignorance.
The server has Windows2k, Apache 2.2 and Activeperl 5.8. The problem is that there does not seem to be any security with the perl. Any web site that has CGI enabled can run a perl script that will execute system commands, modify files, etc. ANYWHERE on the server, not just in the home directory for that site. This is a gaping security hole that needs to be fixed. So if a user wanted to do some damage, he could in theory delete all other web site folders, destroy some system files, etc. Very bad.
I have searched the web and forums for a solution but this major issues doesn't seem to be addressed much. Can anyone advise on how to limit CGI activity to a web site's home directy with this setup.
Thanks.
Tim
[apache-server.com...]
I have personally never had to set it up but maybe another user here knows the drill. The above should explain though. Not sure if it's applicable to all veersion of Apache though.
This should get you started
[httpd.apache.org...]
Are you saying that someone can create a perl script on thier own server, and then coerce your server to execute it?
Restricting perl activity to just the webroot (and it's subdirectories) would be a totally counter productive measure. There are plenty of examples of data that you'd like to keep away from your users DIRECT access (such as databse files, password files etc..). If these files were forced into the publicly accessible area, this would be an even greater security issue.
[edited by: texmex at 3:36 pm (utc) on June 19, 2006]
