httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve" <steve...@iprimus.com.au>
Subject [users@httpd] Re: CGI - Disable #!/bin/sh
Date Sun, 24 Nov 2002 00:08:28 GMT
 Hi,
     How do u stop a client from using like
 
 ---hack.cgi---
 #!/bin/sh
 echo "Cat all files in user2 dir"
 cat /home/web/users/user2/web/*
 --hack.cgi---
 
 This will allow someone to cat all the files of a user2's dir. Because all
 the files need to be readable by all for the webserver user www to be able
 to read the files this user will be able to read the files also..
 
 Is there anyway of making cgi to stay in its own directory and not allowed
 to go out of it.. or to stop it from running /bin/bash or something like
 that so it cant view other users files..
 
 /Steve


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message