cgi/perl can still be run even it's not allow?

J

jackc

Verified User
Joined
Jan 19, 2007
Messages
313
[security]cgi/perl can still be run even it's not allow?

Hello all,

It seems users still able to run cgi/perl scripts even they don't have cgi access, they can create a folder and put a .htaccess with
Options +ExecCGI
AddHandler cgi-script .cgi .pl

and run cgi/perl scripts from there, is this normal?
 
Last edited:
looks like apply jailed cgi patch to all users is needed otherwise one user can easily read other users files.
 
jackc said:
Hello all,

It seems users still able to run cgi/perl scripts even they don't have cgi access, they can create a folder and put a .htaccess with
Options +ExecCGI
AddHandler cgi-script .cgi .pl

and run cgi/perl scripts from there, is this normal?
Click to expand...

It depends on how much control you allow via .htaccess.
Check AllowOverride directive for more info.
 
If I don't allow Options use AllowOverride, I think all features in Options will not be able to use, that include some useful ones.
 
You must log in or register to reply here.
Back
Top