Re: [cobalt-users] Cgi scripts allow browsing through virtual sites

["Carrie Bartkowiak" <ravencarrie@xxxxxxxx>]

> Now we change the server localpath parameter to /home/sites and...
the
> script is suddenly allowed to browse through all the other virtual
sites as
> well. Same happens when changing the server localpath parameter to
/. How to
> prevent cgi scripts to browse every directory on the RAQ4?

*You* take control of that CGI script. Break it up so that the main
configuration part of it is buried somewhere deep in the server where
the client can't get to it.
For example, when the script is getting a big chunk of important
variables at the beginning, cut out that entire chunk of variables and
put them into another file called browsing_script.pl. Stick this
somewhere like /home/userscripts. Chmod it to 755. YOU set all of the
variables in it to what YOU feel is safe for that user.
Now, in the original script, where that chunk of variables used to be,
put a require statement that will make it pull your new file:
require "/home/userscripts/browsing_script.pl";

Fire up the script and it should pull your chopped-out code from
/home/userscripts; which (assuming you've set the localpath parameter
to his directory) will only allow him to browse his own directory.
Then just check the script every once in a while to make sure he
hasn't re-installed a new copy and put in his own variables.

Now you're beginning to see the inherent danger in letting users
install their own scripts. If you've got a competent CGI or PHP
programmer as a client, they can browse all over the place without you
even knowing about it. They don't even have to leave their own
directory and start tripping flags - the script does it for them.

CarrieB