CGI security problem

[rethaew]

Any help with this problem is appreciated.

The server has Windows2k, Apache 2.2 and Activeperl 5.8. The problem is that there does not seem to be any security with the perl. Any web site that has CGI enabled can run a perl script that will execute system commands, modify files, etc. ANYWHERE on the server, not just in the home directory for that site. This is a gaping security hole that needs to be fixed. So if a user wanted to do some damage, he could in theory delete all other web site folders, destroy some system files, etc. Very bad.

I have searched the web and forums for a solution but this major issues doesn't seem to be addressed much. Can anyone advise on how to limit CGI activity to a web site's home directy with this setup.

Thanks.

 

[feherke]

Hi

Yes, you got the meaning of running the web server as unprivileged user and if possible in chroot. But not sure if this can be done on Windows. If you want security, the changes should start at deeper level : from operating system.

Feherke.

http://rootshell.be/~feherke/

 

[smah]

From this discussion, I see some combination of unsecured server & poorly placed files. To illistrate using the 'perl script to modify files' scenario:[ul][li]The web server should be running with limited user rights[/li][li]The webserver user should only be allowed to run scripts from limited filesytem locations - typically /cgi-bin/[/li][li]The filesystem should control which real users can put scripts into that directory[/li][/ul]