adhi91 wrote:Sorry, I am quite new to PHP and this is my first time knowing that I need to prevent CGI script not to be executed.
Alright. Here's a little story.
Let's say I don't like you. Let's say I also discover this little site of yours where I can upload C code and your server compiles it for me. So now my first thought is, at the very least I can get your server penalized for hosting malware and viruses and all sorts of nasty things; all I have to do is upload a malicious C program, wait for your site to compile it, and distribute the URL of the compiled program. So now your site is a bad place and browsers like Firefox and Chrome, and sites like Google, give all your visitors a mean little warning about how the site can compromise their computer.
Now I get creative. I figure there's a chance of other vulnerabilities on your site. I poke around and find an XSS vulnerability in something user-generated. Maybe a comments page. That means I can get a page on your site showing whatever HTML I want. For that HTML I choose a bit of JavaScript that redirects the browser to the compiled EXE I made earlier, and now your site hosts drive-by downloads. Note that I could have made the browser redirect to a malicious site or include some malicious JavaScript I have hosted somewhere else.
Here's the best part: that's what I could do if you
prevent CGI scripts from being executed. If you don't prevent it, and I must admit that your web server probably does, then I could execute whatever code I want on your server. Anything. Since I'm malicious, I'm going to write a virus and your server is going to be so nice as to execute it for me. But I think about it and decide no, not a virus: I'm going to find an exploit on your machine and make use of it. Now I have root access to your computer and you don't even know. Emails, uploads, passwords, configuration... everything is at my fingertips, and as long as I keep my actions conservative, you probably would never find out.
The second-best part is that I might not even have to go through all that work. You're sticking all file uploads in a web-accessible location. Sure, they're supposed to be files with C code, but what if they're not? So I try uploading a PHP script and... it doesn't compile. Of course not, I never expected it to. But I do see that the original file is still around. I browse to it and my script runs. So now we're back to the same situation: I can run arbitrary code on your machine, gain root access, pry into your private files, add the computer to my botnet, and do whatever I want.
After saying all that, know that I'm not malicious (normally). I don't want to scare you. But I do want you to get a glimpse of the bad things that can happen because there are people out there who are malicious.
The good news is that everything I said above can be prevented with a bit of know-how. If you're truly only allowing *.c files then I probably can't upload anything but C code (well, it could be anything, but the file would have a .c extension). But even that depends on your web server. That aside there's still executables floating around. Two basic requirements:
1. Make sure that CGI scripts cannot be executed in that directory. It doesn't hurt to explicitly state so rather than assuming it won't happen by default. This means the server will not execute "programs" in that directory. It will continue to execute PHP scripts and show images and all the things it would normally do.
2. Make sure these executables can't be automatically downloaded. This typically means some kind of authentication but there are alternatives. There are other precautions too like cleaning up old files.
And after all
that, I don't recommend you make this available on a public site. It's a cool learning experience, you get to find out about executing programs from PHP and file uploads and things that you might not find on a "normal" website, but it's quite risky if you let just anybody use it.
If you're wondering, if I were doing it I wouldn't make it public either. I just wouldn't be comfortable with it. There's lots of planning and research I'd have to do before I felt knowledgeable enough to be able to prevent any problems.