~username method of viewing a website

Z

zwerfkat

Verified User
Joined
Sep 23, 2011
Messages
15
Apparently, the IP/~username method of viewing a website is turned on by default in DA. Sa far so good. But to my big surprise, when I open a cgi-script, like:

IP/~username/cgi-bin/test.pl

the script is shown in the browser as plain text! That's really a security issue. I do want to be able to see the web site using IP/~username, I even would like to (temporarily) enable running cgi-scripts for testing purposes, but I do not want to see them as plain text.

By the way, I am running a VPS, so I have full rights and access.

How can I properly configure the usage of IP/~username?
Already looked into these issues, but it is still not clear to me. Any hint are welcome...
 
It shouldnt open in plain text. Make sure you set the extension of .pl as a cgi-script in apache config.
 
scsi said:
It shouldnt open in plain text. Make sure you set the extension of .pl as a cgi-script in apache config.
Click to expand...

Thanks, that worked, after adding:

AddHandler cgi-script .pl

to /etc/httpd/conf/httpd.conf. Stange this is not there by default.

Anyway, no I would like to execute the script using IP/~username/cgi-bin/test.pl Therefore I added the following in .htaccess:

Options +ExecCGI
AddHandler cgi-script .cgi .pl

but I do get an "Internal Server Error" in my browser. In the apache log file:

(13)Permission denied: exec of '/home/username/public_html/cgi-bin/test.pl' failed
[Thu Jan 05 15:55:36 2012] [error] [client xx.xx.xx.xx] Premature end of script headers: test.pl

How comes I am not allowed to run the script this way? If I use www.domain.com/cgi-bin/test.pl it is working.
 
I'd rather guess, when using /~username/cgi-bin/test.pl you try to execute from name of user apache a PERL script test.pl, which is owned by username. That's a security breach.
 
zEitEr said:
I'd rather guess, when using /~username/cgi-bin/test.pl you try to execute from name of user apache a PERL script test.pl, which is owned by username. That's a security breach.
Click to expand...

Not so sure that's the reason, because reading IP/~username/index.html is working correctly, which is also owned by username, or?
 
SuExec does not work with html files. SuExec is used only with CGI/PERL scripts, so that only matters.
 
zwerfkat said:
Not so sure that's the reason, because reading IP/~username/index.html is working correctly, which is also owned by username, or?
Click to expand...

That makes sense indeed. Do you know any possibility to run cgi scripts temporarily using IP/~username/cgi-bin/ method? The reason for this is testing scripts before moving the corresponding domain name to my server.
 
You'd better search the forums. I do not use IP/~username/, I treat it as a security breach, and disable it on my servers.

p.s. You might want to disable SuExec for IP/~username/ or re-configure its behavior.
 
Got it working! By adding the following to /etc/httpd/conf/extra/httpd-vhosts.conf:

<VirtualHost xx.xx.xx.xx:80>
[...]
SuexecUserGroup username username

I can execute my cgi-script using IP/~username/cgi-bin/test.pl

Although I only use it temporarily for testing purposes, I don't think it is a real security risk, but I might be wrong. Maybe the DA-panel will also not work anymore using http://IP:2222 but since I use https (port 443) for accessing DA it does not conflict with this setting.
 
Last edited:
You must log in or register to reply here.
Back
Top