If one user installs a perl script in his cgi-bin (e.g. /web1/user1/), he as access to all other webs. This is a security risk - any idea how to prevent? (ispconfig 3, 3.0.1.3, Ubuntu 8.04.1 Hardy Heron) Perl sample to list all files in /var/www/ Code: #!/usr/bin/perl print "Content-type: text/html\n\n"; sub dir { my $current_folder = shift; my @all; chdir($current_folder) or die("Cannot access folder $current_folder"); #Get the all files and folders in the given directory. my @both = glob("*"); my @folders; foreach my $item (@both) { if(-d $item) { #Get all folders into another array - so that first the files will appear and then the folders. push(@folders,$item); } else { #If it is a file just put it into the final array. push(@all,$item); } } foreach my $this_folder (@folders) { #Add the directory name to the return list - comment the next line if you don't want this feature. push(@all,"$this_folder/"); #Continue calling this function for all the folders my $full_path = "$current_folder/$this_folder"; my @deep_items = dir($full_path); # :RECURSION: foreach my $item (@deep_items) { push(@all,"$this_folder/$item"); } } return @all; } my @all = dir("/var/www/"); foreach my $item (@all) { print "--- $item <br>\n"; }
Use the svn version from ispconfig which has a high security mode setting which should be able to prevent this. If this is a production server you should wait for the 3.0.1.4 release, which will contain the new mode as well. Also make sure that you enabled suexec.
