httpd.conf How to prevent user to view it?

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
AlexAT said:
You can only said: /var/cpanel/users/*user* :)
True, but that wouldn't have been as much fun :p

AlexAT said:
And this is not virtual hosting problem but definitely cPanel problem.
Also true, though symptomatic of the underlying difficulties of such an environment. You would have thought their recent security audit could have locked such things down, so one can only assume that it isn't possible with how cPanel works since they haven't addressed what is a well known issue.
 

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
Well.. I'm now forced to disable cgi-bin from the httpd.conf for all my users.
The good thing is,.. I don't have any cgi users who actually use cgi-bin. All of my users
are doing PHP coding, so this at least is not a major setback.

-Alon.
 
Last edited:

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
SupermanInNY said:
Well.. I'm now forced to disable cgi-bin from the httpd.conf for all my users.
The good thing is,.. I don't have any cgi users who actually use cgi-bin. All of my users
are doing PHP coding, so this at least is not a major setback.

-Alon.
It doesn't have to be in the cgi-bin for it to work.
 

anand

Well-Known Member
Nov 11, 2002
1,432
1
168
India
cPanel Access Level
DataCenter Provider
SupermanInNY said:
Well.. I'm now forced to disable cgi-bin from the httpd.conf for all my users.
The good thing is,.. I don't have any cgi users who actually use cgi-bin. All of my users
are doing PHP coding, so this at least is not a major setback.

-Alon.
As casey said, put that file anywhere in public_html, chmod 755, and run it from your browser, no need to use cgi-bin directory.
 

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
anand said:
As casey said, put that file anywhere in public_html, chmod 755, and run it from your browser, no need to use cgi-bin directory.

Nope. I tried to do that, but I can't run cgi scripts outside cgi-bin.
What's the value of the CGI checkbox when you create a new account?
I thought that addes the alias script line and thus provide the allowence to run or not run cgi scripts.

from this: ScriptAlias /cgi-bin/ /home/domain.com/public_html/cgi-bin/

to this: #ScriptAlias /cgi-bin/ /home/domain.com/public_html/cgi-bin/
Just adding the # in the front to disable this.

Don't forget to restart apache after the change and then try it.

I moved it to a new directory, it is all chowned as the domain owner.
I gave the directory 777 and the file 755 and then 777.

I get the following error:

Forbidden
You don't have permission to access /my/my.cgi on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/1.3.31 Server at domain.com Port 80

-Alon.
 
Last edited:

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
SupermanInNY said:
Nope. I tried to do that, but I can't run cgi scripts outside cgi-bin.
What's the value of the CGI checkbox when you create a new account?
I thought that addes the alias script line and thus provide the allowence to run or not run cgi scripts.

from this: ScriptAlias /cgi-bin/ /home/domain.com/public_html/cgi-bin/

to this: #ScriptAlias /cgi-bin/ /home/domain.com/public_html/cgi-bin/
Just adding the # in the front to disable this.
All that does is prevent apache from treating everything in the cgi-bin as a cgi script. It does not prevent cgi from working.
 

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
casey said:
All that does is prevent apache from treating everything in the cgi-bin as a cgi script. It does not prevent cgi from working.
So could it be the Suexec or some other security_mod that prevents my server from serving cgi scripts from anywhere else other than the cgi-bin directory?

-Alon.
 

casey

Well-Known Member
Jan 17, 2003
2,288
0
191
Can someone who uses other control panels confirm that this is possible on non-cpanel servers as well? This seems to potentially be quite a privacy issue for clients. There has to be something to prevent this other than disabling php and cgi.
 

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
SupermanInNY said:
That link is giving me this error:
I would keep having at it. It is working fine for me. There is too much on that page to think about pasting here.
 

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
Suexec prevents you from viewing other user's files within they public_html only.
I have it installed and problem still exist.
mod_security can do nothing about it - it is not Apache request but internal system call.

This is cPanel problem only - you can set 640 for httpd.conf and this will fix problem for 100% but cPanel can not work when httpd.conf has 640.

Guys, if you think problem is important to you please add yourself to CC in this bug (http://bugzilla.cpanel.net/show_bug.cgi?id=1286).

Seems we all here can make cPanel stuff to think about product security.
 
Last edited:

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
chirpy said:
You would have thought their recent security audit could have locked such things down
Was there ever a 'final report' issued or any public statements issued concerning the conclusion of that audit?

I started thinking that the whole thing was a bunch of 'smoke' thrown out to address some of the problems that were ongoing at the time (such as the email password reset bug). The term 'audit' seems to carry some hefty PR status. Without some sort of published/documented results, the breadth of the audit is left to the imagination.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
SarcNBit said:
Was there ever a 'final report' issued or any public statements issued concerning the conclusion of that audit?
None that I saw.

I just checked the changelog and this is the last entry that I can find:
9.3.0 (build 47) Mon May 24 00:34:21 2004

security audit 70% complete
Maybe it's not finished yet ;)
 

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
This problem is not hack or deface problem.
This is confidential problem first.

That is why it is not so published.
But you can look into other forums - this problem appear from time to time in different situations.

In short this problem means: give me account with CGI and I'll let you know how many and which domains you host and I'll get all your users account names and even can start password atack for your users.
 
Last edited:

SarcNBit

Well-Known Member
Oct 14, 2003
1,001
3
168
AlexAT said:
give me account with CGI and I'll ... get all your users account names and even can start password atack for your users.
The last time I checked, you did not even need CGI for that. You could do that via FTP.
 

SupermanInNY

Well-Known Member
Jul 19, 2003
255
0
166
AlexAT said:
This problem is not hack or deface problem.
This is confidential problem first.

That is why it is not so published.
But you can look into other forums - this problem appear from time to time in different situations.

In short this problem means: give me account with CGI and I'll let you know how many and which domains you host and I'll get all your users account names and even can start password atack for your users.

I second this!

AND
From the "Apache HTTP Server Version 1.3 Dynamic Content with CGI"

In order to get your CGI programs to work properly, you'll need to have Apache configured to permit CGI execution. There are several ways to do this.

ScriptAlias
The ScriptAlias directive tells Apache that a particular directory is set aside for CGI programs. Apache will assume that every file in this directory is a CGI program, and will attempt to execute it, when that particular resource is requested by a client.

The ScriptAlias directive looks like:

ScriptAlias /cgi-bin/ /usr/local/apache/cgi-bin/
The example shown is from your default httpd.conf configuration file, if you installed Apache in the default location. The ScriptAlias directive is much like the Alias directive, which defines a URL prefix that is to mapped to a particular directory. Alias and ScriptAlias are usually used for directories that are outside of the DocumentRoot directory. The difference between Alias and ScriptAlias is that ScriptAlias has the added meaning that everything under that URL prefix will be considered a CGI program. So, the example above tells Apache that any request for a resource beginning with /cgi-bin/ should be served from the directory /usr/local/apache/cgi-bin/, and should be treated as a CGI program.

For example, if the URL http://www.example.com/cgi-bin/test.pl is requested, Apache will attempt to execute the file /usr/local/apache/cgi-bin/test.pl and return the output. Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.

CGI outside of ScriptAlias directories
CGI programs are often restricted to ScriptAlias'ed directories for security reasons. In this way, administrators can tightly control who is allowed to use CGI programs. However, if the proper security precautions are taken, there is no reason why CGI programs cannot be run from arbitrary directories. For example, you may wish to let users have web content in their home directories with the UserDir directive. If they want to have their own CGI programs, but don't have access to the main cgi-bin directory, they will need to be able to run CGI programs elsewhere.


I believe that cPanel does restricte the cgi run to the ScriptAlias directories and thus it will not run elsewhere.

The httpd.conf entry that forces that is:

# If you want to use server side includes, or CGI outside
# ScriptAliased directories, uncomment the following lines.
#
# To use CGI scripts:
#
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php4
AddType application/x-httpd-php .php3
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .phtml
#AddHandler cgi-script .cgi .pl <------ Default is without the #sign. If you add it,. what would happen?
AddType text/html .shtml
AddType application/x-tar .tgz
AddType text/vnd.wap.wml .wml
AddType image/vnd.wap.wbmp .wbmp
AddType text/vnd.wap.wmlscript .wmls
AddType application/vnd.wap.wmlc .wmlc
AddType application/vnd.wap.wmlscriptc .wmlsc