Howto disable execute CGI script with other extention

activa

Well-Known Member
May 23, 2006
213
1
168
Morocco
cPanel Access Level
Root Administrator
Hello ;

i want to know if there are any methode to disable running cgi script with other extention and outside the cgi-bin directory ???

today i have found someone has made the fallowing

Create .htaccess with the fallowing content :

Code:
Options +FollowSymLinks
DirectoryIndex seees.html
Options +Indexes
Options +ExecCGI
AddType text/plain .php
AddHandler server-parsed .php
Addhandler cgi-script .gif


<IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

and has rename script.cgi to script.gif & chmod the script.gif to 755 .

and all is done .

this script is the famous cgi-telnet . after he can get the list users and make symlink to another files user with this command :

Code:
ln -s /home/USERNAME/public_html/config.php  file1.txt

and when yo put the file1.txt you can see the content og this file .

anyone has this isseu ? or any suggestion solution to prevent like this attack .
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I would look at customizing the AllowOverride directive in the Apache configuration; this can be used to restrict what users may set via the Options directive. For verbose detail and clarification please refer to the official Apache/httpd documentation as linked below:
http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
 

hostvn

Member
PartnerNOC
Oct 1, 2007
15
0
51
Ha Noi, Viet Nam
Add this Directory to httpd.conf
<Directory "/home">
Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC +SymLinksIfOwnerMatch
AllowOverride AuthConfig Indexes Limit Fileinfo
</Directory>


<Directory "/usr/local/apache/htdocs">
Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
AllowOverride None
Order allow,deny
Allow from all

</Directory>
That may help you. But hackers have many ways to local attack :) . I received report from my tester team, when symlink:
ln -s /home/USERNAME/public_html/config.php file1.txt
and then using browser to view, webserver show forbiden, but when try to symlink:
ln -s /home/USERNAME/public_html/config.php index.html
and then using link http://domain.com/ , it will show all config :)