Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to disable Perl for all users?

Discussion in 'General Discussion' started by konrath, Sep 21, 2009.

  1. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil
    Hello

    I want disable perl for all users. How to ? :confused:

    Hackers are using perl files to change the index page of all
    sites on the server.

    If I put 750 permission to /user/bin/perl the WHM, CPANEL and WEBMAI stop
    working.

    I want no more keep PERL to my users. Perl is very insecure !!!!

    Thank you
    Konrath
     
    #1 konrath, Sep 21, 2009
  2. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    68
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 thewebhosting, Sep 21, 2009
  3. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil
    Thank you

    Konrath
     
    #3 konrath, Sep 21, 2009
  4. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil
    Hello

    The AddHandler cgi-script .cgi .pl was removed from httpd but scripts in perl still working.

    Another sugestion?

    Thank you
    Konrath
     
    #4 konrath, Sep 22, 2009
  5. agressor

    agressor Active Member

    Joined:
    May 15, 2005
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    156
    if you remove from httpd.conf that line, hackers can add in .htaccess lines for execute cgi files with diferent extention like

    AddHandler cgi-script .txt

    and must be carfefull with allowoverirde because this can stop of work sites what use htaccess.


    i create a thread there: http://forums.cpanel.net/f5/how-can-disable-cgi-bin-131657.html

    but as u can see... the reply from tech.. is not satistactory. and the security problem still


    Edit by cPanel staff:

    This will break cPanel. The permissions of the Perl binary file need to be left as 755 in order for cPanel to work. Changing the permissions of the Perl binary is not a valid way to secure your cPanel server.


    cherss

    Francisco.-
     
    #5 agressor, Sep 23, 2009
    Last edited by a moderator: Jun 18, 2010
  6. cPanelJared

    cPanelJared Technical Analyst

    Joined:
    Feb 25, 2010
    Messages:
    1,835
    Likes Received:
    21
    Trophy Points:
    143
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    This will break cPanel

    This will break cPanel. Most cPanel functions run as the account user, and if the Perl binary file is not executable by anybody, errors will occur in cPanel. The permissions on the Perl binary file need to be left as 755 on a cPanel server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelJared, Jun 18, 2010
  7. Stefan

    Stefan Member

    Joined:
    Jul 24, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Do you have any update about this issue.
    I have tried also to disable cgi from whm for an user , but it is still working.
    On httpd.conf for that site i have :
    "
    Options -ExecCGI -Includes
    RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
    "
    but not result.

    I need also an solution that cant be overwritten by an user from htaccess.

    Thank you

    Stefan
     
    #7 Stefan, Jul 30, 2010
  8. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    716
    Likes Received:
    8
    Trophy Points:
    243
    I'd start by revisiting the premise that “Perl is very insecure !!!!”:
    1. You can do the same thing w/ a shell, php, ruby, python, etc etc.
    2. They are probably leveraging a PHP exploit to, ultimately, execute arbitrary commands (that happen to be executing the perl binary in the case that prompted the question)

    The real solution here is to harden PHP (how Apache runs it, what its allowed to do, etc) and make sure your users always update their PHP scripts.

    Similar to my note here: http://forums.cpanel.net/f185/how-prevent-running-binary-files-178881.html#post1228062
     
    #8 cPDan, Sep 13, 2012
    postcd likes this.
(You must log in or sign up to post here.)
Loading...
Similar Threads - disable Perl users
  1. UxCrazy

    Properly disable redirect to hostname?

    UxCrazy, Jul 24, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    256
    cPanelMichael
    Jul 25, 2018
  2. MattGarner

    New Thread PHP FPM & Disable Functions

    MattGarner, Dec 11, 2018 at 3:57 PM, in forum: EasyApache
    Replies:
    0
    Views:
    23
    MattGarner
    Dec 11, 2018 at 3:57 PM
  3. JurgenS

    Disable cron notification for all users?

    JurgenS, Dec 5, 2018 at 2:02 AM, in forum: E-mail Discussion
    Replies:
    1
    Views:
    268
    cPanelLauren
    Dec 6, 2018 at 11:31 AM
  4. Rajesh Chauhan

    Does Enginetron Disable htaccess functionality?

    Rajesh Chauhan, Nov 30, 2018, in forum: EasyApache
    Replies:
    2
    Views:
    189
    cPanelLauren
    Dec 3, 2018
  5. MarceloKonrath

    Disable EA3 deprecated message from resellers?

    MarceloKonrath, Nov 14, 2018, in forum: EasyApache
    Replies:
    1
    Views:
    104
    cPanelLauren
    Nov 15, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice