Disable CGI from users to run CGI Scripts

I

iomega

Verified User
Joined
Jan 20, 2015
Messages
9
Hi.
I installed a direct admin on my server and there is a lot of httpd config file !
I changed the .cgi extension and users couldn't run .cgi file, but they can use this .htaccess code to run cgi with .php extension:

AddHandler cgi-script .php

Anyways, I want to disable cgi from users to running cgi scripts (even like this with .htaccess file) on their hosts.
Please guide me if you have a suggestion.
Thanks a lot guys.
regards.
 
When I create a new package I can turn off CGI access. When I set up a new user from a package that has CGI enabled I can still modify the user so CGI is disabled.

Doesn't this work for you?

Jeff
 
Hi

nobaloney said:
When I create a new package I can turn off CGI access. When I set up a new user from a package that has CGI enabled I can still modify the user so CGI is disabled.

Doesn't this work for you?

Jeff
Click to expand...

Thanks for your answer.
But what did you do for disable CGI?
Can you explain it completely for me?
I disabled the cgi-module , but unfortunately It's working !
 
Hi

Mehdi Tamaddon said:
As I said: in "modify user" 'CMD_MODIFY_USER?user=username"
Click to expand...

Dear Mehdi,
As I told you I can run CGI-Script with this code in .htaccess file :

AddHandler cgi-script .php

And with doing "disable CGI Access" It wouldn't be disabled.
I want to disable CGI-Access completely for every users and they couldn't run any CGI-Script with something like that code I mentioned above in .htaccess file.
Thanks for your cooperation.
Regards.
 
bi

Richard G said:
Did you try the very first answer you got from Zeiter?
Click to expand...

dear Richard.
I rebuilt apache with disable cgi-module like his answer.
But still user can run CGI script with that .htaccess code :(.
Whats your opinion about this issue?
Thanks again.
 
iomega said:
Dear Mehdi,
As I told you I can run CGI-Script with this code in .htaccess file :

AddHandler cgi-script .php

And with doing "disable CGI Access" It wouldn't be disabled.
I want to disable CGI-Access completely for every users and they couldn't run any CGI-Script with something like that code I mentioned above in .htaccess file.
Thanks for your cooperation.
Regards.
Click to expand...

Why wouldn't it be disabled?
 
Hello,

Here is what I've tested:


User userbob with disabled CGI:

Code: 
# grep cgi /usr/local/directadmin/data/users/userbob/user.conf
cgi=OFF


However I'd try to run a cgi script I get either this:

Code: 
Options ExecCGI is off in this directory: ...

or

Code: 
... .htaccess: Option ExecCGI not allowed here

So what do I miss?
 
iomega said:
Dear guy,
Because of this code in .htaccess file :

AddHandler cgi-script .php

And users can call cgi-handler for running CGI scripts.
Click to expand...

The server will not let the user execute the CGI script because you disabled it. It will not run even if you add the code to the .htaccess file. Test it yourself.
 
But still user can run CGI script with that .htaccess code. :(
Whats your opinion about this issue?
Click to expand...
My opinion would be that something must went wrong, I can't reproduce it. I get the same result as Zeiter and Petertjuh.
 
You must log in or register to reply here.
Back
Top