On Thu, 12 Apr 2001 12:49:09 +0200, you wrote:
I will not put such a script on my server, but I'm afraid others will do it.
The problem is, yes, I have a lot of users. And I can't read every file they use.
It is unsecure letting untrusted people to upload cgi's directly to your cgibin directory. This is known. As somebody pointed out you could try to: 1) Create a special upload directory where people can put his/her cgi's. This directory hasn't got cgiexec privileges at all. Then you should review these uploaded cgi's and copy them to the real cgibin directory, if they are not dangerous 2) Put apache in a chroot jail. Option 1 is more secure (if you're good auditing cgi's) but you need the extra work of auditing. Option 2 is less secure but automatic. Obviosly, option 1+2 combined would be the most secure method :-) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~