Results 1 to 25 of 31
-
01-12-2008, 08:54 AM #1Registered User
- Join Date
- Sep 2004
- Posts
- 245
how to prevent perl from working ?
Hello
I have a cPanel/Linux server , runing apache as a webserver .
i want to know how can i prevent perl/cgi files from working on all virtual hosts on both apache2/apache1.3 !
Thank you !0
-
01-12-2008, 02:54 PM #2Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
You can remove the perl cgi files, disable mod_cgi, remove the handler for it, remove perl. Is this a multi-user system?
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!0
-
01-12-2008, 03:31 PM #3
Alternatively, you can change the permissions of perl so that ONLY root can execute it:
Code:chown root:root /usr/bin/perl chown root:root /usr/local/bin/perl chmod a-rxw /usr/bin/perl chmod u+rxw /usr/bin/perl
Removing the mod_cgi is good, but it doesn't FULLY stop users from accessing perl.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-12-2008, 03:40 PM #4Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!0
-
01-12-2008, 03:54 PM #5Registered User
- Join Date
- Sep 2004
- Posts
- 245
Hello
Thank you all for stopped by my post !
Yes this is a multiuser-system "shared hosting" .
what if i removed the mod_cgi , will this stop cpanel from acting :
http://www.site.com/cpanel ?
Thank you !0
-
01-12-2008, 03:55 PM #6
Wrong
Your way:
Perl can still be accessed by the user. All they have to do is put a script in their home directory (note: not web), call perl directly, and poof, you've got perl
My way:
Perl can not be accessed by ANYONE but root.
.cgi and the like STILL call perl itself (Ever notice the perl call in one of them?) and it's required to work. They all have this line (at least every one I've ever seen) at the top
Code:#!/usr/local/bin/perl #!/usr/bin/perl
My way doesn't JUST carry out to 'web' scripts, it limits perl usage entirely. Your way, easily worked around by uploading a perl script and executing it through the shell (cron, php shell, etc). If you doubt me , test my way out, you will find that it works.
CPanel runs on it's own webserver, independent of apache, and uses it's own settings, so it doesn't care what apache says to do, usually.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-12-2008, 04:16 PM #7Registered User
- Join Date
- Sep 2004
- Posts
- 245
0
-
01-14-2008, 01:53 PM #8Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
The OP said perl CGI. Removing mod_cgi would certainly stop perl from being used as CGI in apache. Calling perl "directly" isn't CGI.
My way:
Perl can not be accessed by ANYONE but root.
.cgi and the like STILL call perl itself (Ever notice the perl call in one of them?) and it's required to work. They all have this line (at least every one I've ever seen) at the top
Code:#!/usr/local/bin/perl #!/usr/bin/perl
My way doesn't JUST carry out to 'web' scripts, it limits perl usage entirely. Your way, easily worked around by uploading a perl script and executing it through the shell (cron, php shell, etc). If you doubt me , test my way out, you will find that it works.
No, as that is an alias, not perl itself.
CPanel runs on it's own webserver, independent of apache, and uses it's own settings, so it doesn't care what apache says to do, usually.
You may want to try sharing your own opinion without attacking others.-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!0
-
01-14-2008, 02:52 PM #9The OP said perl CGI
how to prevent perl from working ?
i want to know how can i prevent perl/cgi
Changing permission on the shared perl interpreter doesn't stop the user from installing their own interpreter,
.... and in fact doesn't affect CGI usage of perl in anyway
IF the perl binary can not be executed, then the website will error out. DON'T say it's not so, because you obviously haven't tested this fact. I have. I don't post things here for the hell of it, or things that are untested. IF the perl binary can not be executed, the perl script will error. pure and simple.
Next time, you might want to read through the post and grasp what the user is going for here. When the user is saying 'perl/cgi', don't exclude one or the other just because you THINK they only mean one, or the other.
You may want to try sharing your own opinion without attacking others.
Nobody 'attacked' you. I merely stated that your way of doing things was 'wrong', as it does not fully disable anything. If you don't like being told your way is 'wrong', then I'd suggest not posting 'wrong' ways to do things, or going around with statements like 'My way is better', or 'my way comes closer', or 'your way sucks'.
Your way isolates a minimal part of the problm (cgi handler). My way isolates the CORE of the problem (perl itself). BOTH of these can be worked around, but then again ANYTHING can be worked around!Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-14-2008, 06:16 PM #10Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
Not being the OP, you don't have the privilege to tell me that I interpreted the OPs question wrong. The OP clearly wasn't making a distinction between perl and CGI.
Correct, but not many people are going to pull THAT off. If they wanted to go that far, you're screwed no matter what you do.
IF the perl binary can not be executed, then the website will error out. DON'T say it's not so, because you obviously haven't tested this fact. I have. I don't post things here for the hell of it, or things that are untested. IF the perl binary can not be executed, the perl script will error. pure and simple.
Next time, you might want to read through the post and grasp what the user is going for here. When the user is saying 'perl/cgi', don't exclude one or the other just because you THINK they only mean one, or the other.
You spread misinformation, and can't handle the fact that it's rebutted, not my problem. Next time, read the thread before you reply.
Nobody 'attacked' you. I merely stated that your way of doing things was 'wrong', as it does not fully disable anything. If you don't like being told your way is 'wrong', then I'd suggest not posting 'wrong' ways to do things, or going around with statements like 'My way is better', or 'my way comes closer', or 'your way sucks'.
Your way isolates a minimal part of the problm (cgi handler). My way isolates the CORE of the problem (perl itself). BOTH of these can be worked around, but then again ANYTHING can be worked around!
If the OP's question had been, "How do I stop users from using a specific instance of the perl interpreter", removing that instance would still have made more sense than changing permissions on it, even in a mult-user environment.
I'm sorry that you can't see how obtuse you are being.-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!0
-
01-14-2008, 08:26 PM #11Web Hosting Master
- Join Date
- Oct 2002
- Location
- Manchester, UK
- Posts
- 1,179
I'm sorry that you can't see how obtuse you are being
The OP is looking for a way to stop Perl from being executed via Apache. Removing the handlers, modules and configuration from Apache will achieve just that.
I wouldn't recommend modifying the interpreters permissions directly when simply disabling apaches ability to understand what to do with the request is sufficient0
-
01-14-2008, 09:08 PM #12I wouldn't recommend modifying the interpreters permissions directly when simply disabling apaches ability to understand what to do with the request is sufficient
It is NOT sufficient to 'disable mod_cgi'. Again, that is an EASY work around, simply upload the file to the server and poof, you've got what you want, using server perl calls, PERIOD.
Are both abusable? You bet. Disabling mod_cgi , however is the weakest link here, and the easiest one to get around. Creating perl binaries means that the attacker has to go through the extra effort to FIND the perl binaries that will work for this system,whereas with the other alternative, one can simply find a phpshell, upload the file and boom, you've got what you need by calling perl.
The OP is looking for a way to stop Perl from being executed via Apache. Removing the handlers, modules and configuration from Apache will achieve just that.
The OP doesn't ask "how can I stop CGI", do they? No, they don't. They ask "HOW DO I PREVENT PERL FROM WORKING?". End of story.
The first step in solving problems? DON'T read into the problem. If the user asks how to stop perl, don't tell them how to stop CGI. If the user asks how to stop both, don't solve the problem HALFWAY, solve it FULLY
In order to prevent perl and cgi from working, the perl executables need to be modified as instructed before. Removing mod_cgi will work ONLY for stopping cgi, and will NOT stop true web attacks. Either is worked around, but removing the binary from use (ie: chmod) is much, much harder to work around than just removing mod_cgi.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-15-2008, 06:51 AM #13Web Hosting Master
- Join Date
- Oct 2002
- Location
- Manchester, UK
- Posts
- 1,179
It is NOT sufficient to 'disable mod_cgi'. Again, that is an EASY work around, simply upload the file to the server and poof, you've got what you want, using server perl calls, PERIOD.
It is more than sufficient, Apache needs to know what to do with a request when it receives it, hence the need for the module, scriptaliasing and such forth
Take www.f3ck.com/cgi-bin/test.pl as an example. I'd rather you actually test someones theory before trashing it, especially when you obviously have no clue what you're preaching.
Would you change the PHP interpreters permissions when you want to stop supporting PHP? - no, don't be rediculous. This is no different.Last edited by Bilco105; 01-15-2008 at 06:57 AM.
0
-
01-15-2008, 11:12 AM #14Would you change the PHP interpreters permissions when you want to stop supporting PHP? - no, don't be rediculous. This is no different.
Disabling mod_cgi does not prevent perl from working. The sooner you get that through your head and UNDERSTAND it, the better.
Just because your opinion differs from another, doesn't make that opinion wrong
Disabling mod_cgi does NOTHING to prevent 99% of the hacks that are out there, written in what? PERL. Why? Because they are called using the perl binary/inerpreter. ALL disabling mod_cgi does is removes cgi from someone's directory. OOOH, gee, I'll just upload a perl script, call it through shel, and be done.
If you want to TRULY prevent perl from working (as BOTH the title and the thread request), you need to disable it by changing the permissions. Disabling mod_cgi would be a decent ADDITION to that (to prevent someone from uploading their own handlers), and I never said it wouldn't, BUT disabling mod_cgi, alone, by itself does NOT prevent perl from working!Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-15-2008, 11:27 AM #15Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
This thread is too hot for me!
(This is why I use PHP, not Perl)
For the record, I concur with linux-tech.0
-
01-15-2008, 12:08 PM #16Web Hosting Master
- Join Date
- Oct 2002
- Location
- Manchester, UK
- Posts
- 1,179
I never said it would 'prevent perl from working', as thats not what the OP requested, I'll repeat it for you..;
i want to know how can i prevent perl/cgi files from working on all virtual hosts on both apache2/apache1.3 !
You cannot just 'call' perl from within a script and expect it to work. Apache needs to know how to handle the request, just as it does with PHP, rails or whatever else you want to hook in. By removing its ability to do just that, removes any way of perl being processed through the webserver (which is what the OP requested).
As a test, set yourself up with a webserver with mod_cgi enabled. Change the permissions of the perl binary to your reccommendation, you now have a non-working perl (Obviously). Ok, now upload a seperate perl binary and change the shebang. Now you have a working perl installation again.
As a second test, set yourself up with a webserver with mod_cgi disabled. Upload a seperate perl binary and change the shebang. What happens? - apache doesn't understand that the request is dynamic and displays the static code, standard apache behavour.
Just agree to disagree on this one. Your solution isn't the most effective, no matter how much bold writing you back it with.Last edited by Bilco105; 01-15-2008 at 12:11 PM.
0
-
01-15-2008, 12:17 PM #17I never said it would 'prevent perl from working', as thats not what the OP requested
how to prevent perl from working ?
however, its easily worked around.
Both are worked around, the mod_cgi suggestion, doesn't actually STOP anything security wise, and doesn't do a thing.
The permission modification of perl ISN'T easily worked around though it is worked around. If you've got the server setup right (no compilers except to root), then you have to find perl built exactly for that system, download it, and use it. Not everyone has that ability . phpshell exploits, however, are very readily available.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-15-2008, 06:25 PM #18Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
I don't know about threat, but it will certainly stop perl/CGI on all virtual hosts in apache.
Bilco15, at least linux-tech/Tom didn't say you were wrong this time.
Unfortunately Tom's attitude in this case will make me ignore anything worthwhile that he may post in the future.-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!0
-
01-15-2008, 06:55 PM #19Web Hosting Master
- Join Date
- Oct 2002
- Location
- Manchester, UK
- Posts
- 1,179
SO is the mod_cgi 'suggestion'. In fact, the mod_cgi 'suggestion' doesn't stop a single threat.
I wouldn't post a solution unless I had tested it, or had previous knowledge that it works as expected. I don't work on hearsay...
I've already proved my method works, and works correctly.0
-
01-15-2008, 08:23 PM #20Provide examples.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-17-2008, 05:38 AM #21Web Hosting Master
- Join Date
- Oct 2002
- Location
- Manchester, UK
- Posts
- 1,179
Constantly repeating 'WRONG' over and over doesn't constitute an example. All you've done is constantly repeat the same points without providing any actual evidence or working examples. I on the otherhand, implemented the solution I suggested, tested it, proved it works as it should and provided access to the setup.
Anyway, i'm done with this thread. OP, I hope whichever solution you pick works well for you.
Let us know how you get on.0
-
01-17-2008, 05:55 AM #22Junior Guru Wannabe
- Join Date
- Jul 2006
- Location
- Waitakere City, NZ
- Posts
- 47
Hmmmmmmmmmm, I think for the first port of action you should buy Linux-Tech a valium, then force him to take it because he'll sit there shouting WRONG WRONG WRONG at you while you're trying to give it to him, then follow the example given by Bilco105, not to take anything away from bitserve but I'm leaning more towards Bilcos suggestion.
0
-
01-17-2008, 08:06 AM #23Constantly repeating 'WRONG' over and over doesn't constitute an example.
Once again for the slow people, a PERFECT example of how disabling mod_cgi does NOT "prevent perl from working"!
Step 1
Create php shell
Step 2
Upload abusable perl script
Step 3
Upload said perl script
Step 4
Execute said perl script through cron, uploaded php shell, or what have you.
OOPS, it's possible to do. Damn
Disabling mod_cgi DOES NOT prevent perl from working, as the title requests, and suggests. It DOES prevent CGI from working, but that is ONLY half the battle. Disabling CGI from working will NOT disable perl from working, NOR will it disable crapware from getting in your system and actually abusing it.
OTOH, disabling PERL from working itself (sans root user) will disable ALL PERL FUNCTIONS from functioning, period. The only way around THAT? To find a perl interpreter built for that system's specifics and upload it to the server.
Once again, one way will disable every single attack base, the other will disable minimalistic usage. BOTH are easily worked aroundTom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
01-17-2008, 08:30 AM #24Web Hosting Master
- Join Date
- Oct 2002
- Location
- Manchester, UK
- Posts
- 1,179
Step 1
Create php shell
Step 2
Upload abusable perl script
Step 3
Upload said perl script
Step 4
Execute said perl script through cron, uploaded php shell, or what have you.
OOPS, it's possible to do. Damn
My method does exactly what was required, stop perl processing through all Apache vhosts. You can't work around it, because even WITH your solution, Perl is NOT being run through Apache.
I can get round your solution in 5 seconds flat once I know the architecture my FTP account is running on.
Agree to disagree and let it go. I'm sorry, but your solution isn't suitable for what was initially requested. If the request was, my webserver is insecure, how can I stop anyone uploading a shell and executing perl, you may have a case.Last edited by Bilco105; 01-17-2008 at 08:35 AM.
0
-
01-17-2008, 08:50 AM #25Oh please, you have bigger problems than executing perl if your web server is insecure enough to create php shells.
your solution isn't suitable for what was initially requested
In addition, the request went on to say 'how to prevent perl/cgi from working.
YOUR suggestion, on the other hand prevents ONE from working, but not the other, so THAT is unsuitable for what was requested, not the other way around.
By modifying perl binaries to be executable ONLY by root, this does both well enough. Again, both ways are easily worked around,but , one is more easily donee than the other.
Next time you want to get into an argument, make sure the person you're arguing with doesn't know what they're doing, and hasn't tested the facts. I have, both sides of this. The best, and most effective way to 'prevent perl from working', as the user requested is to modify the permissions of the binary so that it can not work for anyone but rootTom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0