Closing the Loopholes: Disable CGI Override

March 15th, 2013 by Security 2 Comments

LiteSpeed Web Server features something that Apache does not — a way to disable CGI, permanently.

Many of our customers disable CGI on their servers because of the risks involved with running CGI: Poorly written CGI scripts can broadcast all kinds of sensitive information to the world. If a hacker, creeping in through a tiny security hole, can successfully upload a CGI script and make it work, they can get access (and even root access) to your server without much restriction. Or the hacker could be one of your clients (signed up with a stolen credit card, perhaps), and then s/he doesn’t need a security hole to run a malicious CGI script.

There are definitely risks, but many web servers don’t give you a good way to neutralize them. On Apache, you can disable CGI in WHM by unchecking the “ExecCGI” box (Service Configuration > Apache Configuration > Global Configuration). Disabling CGI, though, does not mean that it stays disabled. Users can enable it using the Options directive “Options +ExecCGI” in a .htaccess file. (You could turn off the Options directive, but there are many legitimate uses that users need — the index feature, for example.)

This is why LiteSpeed has developed the Apache-style configuration directive “DisableCGIOverride.” The Disable CGI Overrride directive makes it impossible for users to turn on or off CGI through .htaccess. It will keep that CGI on/off switch firmly where you left it. (If, for some reason, you don’t want any users to turn off CGI, this directive will keep it on.) For cPanel users, just paste the following directive into one of the includes in the Include Editor (Service Configuration > Apache Configuration > Include Editor) in WHM:

<IfModule LiteSpeed>

DisableCgiOverride On

</IfModule>

When the Disable CGI Override directive is “on,” users cannot enable or disable CGI. The Disable CGI Override directive also works at the virtual host level — so you can allow CGI enabling for some users — though this has to be done by editing the vhost-level included configuration files.

More safety, more control, yet another reason to choose LiteSpeed.


Categories:Security

Related Posts


Comments