Closing the Loopholes: Disable CGI Override

March 15th, 2013 by Security 2 Comments

Many of our customers disable CGI on their servers because of the risks involved with running CGI: Poorly written CGI scripts can broadcast all kinds of sensitive information to the world. If a hacker, creeping in through a tiny security hole, can successfully upload a CGI script and make it work, they can get access (and even root access) to your server without much restriction. Or the hacker could be one of your clients (signed up with a stolen credit card, perhaps), and then s/he doesn’t need a security hole to run a malicious CGI script.

There are definitely risks, but many web servers don’t give you a good way to neutralize them. On Apache, you can disable CGI in WHM by unchecking the ExecCGI box (Service Configuration > Apache Configuration > Global Configuration). Disabling CGI, though, does not mean that it stays disabled. Users can enable it using the Options directive Options +ExecCGI in a .htaccess file. (You could turn off the Options directive, but there are many legitimate uses as well — the index feature, for example.)

This is why LiteSpeed has developed the Apache-style server-level configuration directive DisableCGIOverride. The Disable CGI Overrride directive makes it impossible for users to turn on or off CGI through .htaccess. It will keep that CGI on/off switch firmly where you left it. (If, for some reason, you don’t want any users to turn off CGI, this directive will keep it on.) For cPanel users, just paste the following directive into one of the includes in the Include Editor (Service Configuration > Apache Configuration > Include Editor) in WHM:

<IfModule LiteSpeed>
DisableCgiOverride On

When the Disable CGI Override directive is On, users cannot enable or disable CGI.

More safety, more control, yet another reason to choose LiteSpeed.


Related Posts