AlienCode
May 9th, 2003, 02:56 AM
Hey Guys,
I would like to know how you guys overcome problems with CGI scripts being able to read any files on the server? I found a CGI script called CGI-telnet and it emulates a telnet window through a web interface. Through this I found that I could view any file in any directory on my server. I am using suexec so the script is running as the owner of the script and not apache but I can still view other peoples files. I'm guessing this is due to the world read setting on each file which Apache seems to require.
Is there a way of restricting where the CGI Scripts can have access to on the file system. Ie. restrict them so they can't read a file outside of the CGI Bin.
I'd appreciate any help.
Cheers
I would like to know how you guys overcome problems with CGI scripts being able to read any files on the server? I found a CGI script called CGI-telnet and it emulates a telnet window through a web interface. Through this I found that I could view any file in any directory on my server. I am using suexec so the script is running as the owner of the script and not apache but I can still view other peoples files. I'm guessing this is due to the world read setting on each file which Apache seems to require.
Is there a way of restricting where the CGI Scripts can have access to on the file system. Ie. restrict them so they can't read a file outside of the CGI Bin.
I'd appreciate any help.
Cheers