Apache CGI question

thomastj · October 20th, 2004, 10:06 PM

Hoping one of you Apache CGI gurus might know the answer to this.

Is there a way to tell the webserver to not allow execution of CGI from a particular subdir?

I have a CGI installed which allows some of my users to upload files to a specific subdir on the website. What I want to prevent is them uploading some CGI script and executing it.

Thanks.

programmerguy150 · October 20th, 2004, 10:13 PM

I believe so, or a lot of scripts would not work....let me think.....

**Bigjohn** · October 20th, 2004, 11:27 PM

You could use a php-upload script which only allowed uploads of certain types of files.

programmerguy150 · October 20th, 2004, 11:28 PM

exactly! Oh and there is also java ones....go for java if you got a chance.....

**Bigjohn** · October 20th, 2004, 11:29 PM

Quote:

Originally Posted by Newbie Hoster

exactly! Oh and there is also java ones....go for java if you got a chance.....

java is client side and more easily subverted. Use PHP to control upload to a server.

H · October 20th, 2004, 11:42 PM

Quote:

Originally Posted by Bigjohn

java is client side and more easily subverted. Use PHP to control upload to a server.

Mm... Java both clientside and serverside.. Javascript is completely clientside though. Just clearing that up...

**Bigjohn** · October 21st, 2004, 7:22 AM

Quote:

Originally Posted by Haugland

Mm... Java both clientside and serverside.. Javascript is completely clientside though. Just clearing that up...

Ahh, I agree - however they don't run JBOSS on the servers at surpass... thus no serverside java.

thomastj · October 21st, 2004, 9:34 AM

I'm sort of sour on php based scripts to do any uploads. The files I'm uploading will most like be larger than 2MB. The problem with PHP is it relies to heavily on the PHP.INI variables, which I can't control on a shared environment. Hence the reason for switching to CGI.

Yes I guess I could stop them from uploading a certain filetype, but the CGI have is written in Perl. It would take me some time to figure out the language structure and add something to stop certain extensions from being uploaded.

I'm using a CGI I pulled from http://www.pvdlab.net/en/commerce/wcom . It's ok, but could be better.

In any event, I thought there might be something on the Apache end to only allow CGI code to be executed from within a certain subdir. It appears I can place CGI code anywhere in my subdirs and execute it and it doesn't have to be in the cgi-bin subdirectory.

**David** · October 21st, 2004, 11:15 AM

what about doing it with anonymous ftp and limiting the file types?

October 20th, 2004, 10:06 PM	#1 (permalink)
thomastj Registered User Seasoned Poster Joined in Apr 2004 42 posts Gave thanks: 0 Thanked 0 times	Apache CGI question Hoping one of you Apache CGI gurus might know the answer to this. Is there a way to tell the webserver to not allow execution of CGI from a particular subdir? I have a CGI installed which allows some of my users to upload files to a specific subdir on the website. What I want to prevent is them uploading some CGI script and executing it. Thanks.

October 20th, 2004, 10:13 PM	#2 (permalink)
programmerguy150 Registered User On a golden path... Joined in Jul 2004 316 posts Gave thanks: 0 Thanked 0 times	I believe so, or a lot of scripts would not work....let me think..... __________________

October 20th, 2004, 11:27 PM	#3 (permalink)
Bigjohn minor deity Super #1 Joined in Apr 2004 Lives in Georgia Hosted on XEON 7,395 posts Gave thanks: 28 Thanked 94 times	You could use a php-upload script which only allowed uploads of certain types of files. __________________ Proud to be a Surmunity Mod! XEON PASS60 PASS61 Make a fundamental difference! My Sites: Curious about Brewing Beer? Join the community! >>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax Get into an Art museum Victorian London It's your brain -*ON WEB* - mybrainhost.com (under development) What SHOULD Government do? Much Less than it Does!

October 20th, 2004, 11:28 PM	#4 (permalink)
programmerguy150 Registered User On a golden path... Joined in Jul 2004 316 posts Gave thanks: 0 Thanked 0 times	exactly! Oh and there is also java ones....go for java if you got a chance..... __________________

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

October 21st, 2004, 9:34 AM	#8 (permalink)
thomastj Registered User Seasoned Poster Joined in Apr 2004 42 posts Gave thanks: 0 Thanked 0 times	I'm sort of sour on php based scripts to do any uploads. The files I'm uploading will most like be larger than 2MB. The problem with PHP is it relies to heavily on the PHP.INI variables, which I can't control on a shared environment. Hence the reason for switching to CGI. Yes I guess I could stop them from uploading a certain filetype, but the CGI have is written in Perl. It would take me some time to figure out the language structure and add something to stop certain extensions from being uploaded. I'm using a CGI I pulled from http://www.pvdlab.net/en/commerce/wcom . It's ok, but could be better. In any event, I thought there might be something on the Apache end to only allow CGI code to be executed from within a certain subdir. It appears I can place CGI code anywhere in my subdirs and execute it and it doesn't have to be in the cgi-bin subdirectory.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)