Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Security issue with Windows2k and CGI |
|
| Author |
|
rethaew
Joined: 14 Jun 2006
Posts: 3
|
 Posted: Wed 14 Jun '06 15:52 Post subject: Security issue with Windows2k and CGI |
 |
|
Good Day. I have recently been put in charge of managing a web server and I am not very familiar with Apache, or web servers in general, so please forgive my ignorance.
The server has Windows2k, Apache 2.2 and Activeperl 5.8. The problem is that there does not seem to be any security with the perl. Any web site that has CGI enabled can run a perl script that will execute system commands, modify files, etc. ANYWHERE on the server, not just in the home directory for that site. This is a gaping security hole that needs to be fixed. So if a user wanted to do some damage, he could in theory delete all other web site folders, destroy some system files, etc. Very bad.
I have searched the web and forums for a solution but this major issues doesn't seem to be addressed much. Can anyone advise on how to limit CGI activity to a web site's home directy with this setup.
Thanks.
Tim |
|
| Back to top |
|
Jcink
Joined: 06 Mar 2006
Posts: 23
|
| Posted: Wed 21 Jun '06 0:28 Post subject: |
|
|
| For windows, I dont believe there is a solution. Unlike PHP, which has open-basedir restriction I don't think CGI has anything like that. You need to be able to set permissions and stuff, and chroot, there isn't any of that on windows. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 21 Jun '06 17:45 Post subject: |
|
|
You can secure it by the User. You can create a new user, that only can access the webfolders. Put that user to the cgi handler (*.exe) and remove all other users.
It is like this topic
http://www.apachelounge.com/viewtopic.php?t=460 |
|
| Back to top |
|
rethaew
Joined: 14 Jun 2006
Posts: 3
|
| Posted: Wed 21 Jun '06 18:14 Post subject: |
|
|
Thanks for your suggestions. Can you give further explanation for where you say:
"Put that user to the cgi handler (*.exe) and remove all other users."
I am not sure of where or how this is done.
Thanks
Tim |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 21 Jun '06 18:48 Post subject: |
|
|
I think you are using Windows XP or 2000(?)
e.g.
- search for the perl.exe you use as the cgi handler.
- Right Click => Properties => Security
- Add the new user with the lower permissions
- remove all other user (maybe the SYSTEM user must left, not sure)
- Choose the new user
- Use the Checkboxes below to choose what the user will be allowed
I think you should use guest or normal user for the new user account. |
|
| Back to top |
|
YoDude9999
Joined: 23 Jun 2006
Posts: 3
|
| Posted: Sat 24 Jun '06 3:54 Post subject: |
|
|
In the httpd.conf file, you set access options. Here's mine:
| Code: | <Directory "C:/path/to/my/sites/cgi-bin">
AllowOverride None
Options +ExecCGI +Includes
Order allow,deny
Allow from all
</Directory> |
You can define any directory this way. |
|
| Back to top |
|
|
|
|
|
|
