Page 1 of 1

Can we disable PERL for all users?

Posted: Sat Feb 09, 2008 8:15 pm
by kdman
I got a perl/cgi hack script like (shell php).
And since CGI is not highly needed so the best way to fix all cgi security is to disable cgi for users on the shared hosting server.

I had disable it from WHM and httpd.conf, but still there is a way to reactive it by the hacker from the .htaccess files.

So any suggestions please?
I'm using Apache 2.0 on Cent OS 4.6

Thanks.

Re: Can we disable PERL for all users?

Posted: Sat Feb 09, 2008 8:23 pm
by Christopher
You could remove "AllowOverride Options" from httpd.conf, but people may want to override other options in .htaccess.

Re: Can we disable PERL for all users?

Posted: Sat Feb 09, 2008 8:35 pm
by kdman
arborint wrote:You could remove "AllowOverride Options" from httpd.conf, but people may want to override other options in .htaccess.
Exactly.
That was the problem.
If we make:AllowOverride = None.
Then All directory protected with password will be free to browse.
End If

Any more suggestions please?

Re: Can we disable PERL for all users?

Posted: Sun Feb 10, 2008 10:16 am
by kdman
I found the solution.
It's to remove this line from httpd.conf:
AddHandler cgi-script .cgi .pl

I hope it help any body found this topic ;)

Re: Can we disable PERL for all users?

Posted: Sun Feb 10, 2008 11:50 am
by Weirdan
Couldn't you just uninstall perl interpreter (or modify its executable permissions to not allow web server user to run it)?

Re: Can we disable PERL for all users?

Posted: Tue Feb 12, 2008 4:33 pm
by kdman
Unfortunately, I can't uninstall the perl because it's needed by WHM/cPanel to work.
Also i tried in the first place to change the permission of perl, but the users of cPanel couldn't access it any more.

So i think it's the best solution for now :wink:

Re: Can we disable PERL for all users?

Posted: Wed Feb 13, 2008 12:57 am
by timvw
Or you could make sure that the cpanel/whatever is ran by another useraccount which does have rights to use perl...

Re: Can we disable PERL for all users?

Posted: Thu Feb 14, 2008 11:02 am
by kdman
timvw wrote:Or you could make sure that the cpanel/whatever is ran by another useraccount which does have rights to use perl...
The problem was to login to cPanel.
when somebody try to login then he is not login then his permission must be noBody.
So he can't login at all.