I'm trying to add a simple file upload page to a website and I found a PERL based CGI script to handle the job (See Link). I got it running properly and it works great. The problem is that I don't know much about PERL/CGI and I'm wondering if I'm introducing a vulnerability to the site?
I also read that PHP might be a better way to go than CGI, but I haven't found the appropriate scripts yet.
My other option is just to create a special ftp user for uploads, but it is far easier to direct someone to a webpage to upload a file.
Any thoughts, comments, suggestions would be appreciated.
The instructions give your upload directory open availability to the world, including execute! The permissions should be 666, not 777 if you ask me. That grant read and write but NOT execute. Better would be 662, and make the web server user not a member of the group or the owner, so it can only write to the directory.
Professor Hubert Farnsworth: “Nothing is impossible. Not if you can imagine it. That’s what being a scientist is all about.”
Cubert J. Farnsworth: “No, that’s what being a magical elf is all about.”
Jack, thanks for your input.
I changed the upload directory to 666 and the upload failed.
And as for changing users/groups. I don't have that much access. I'm limited to the vdeck interface my host provides. Besides, I'm at about the limits of my knowledge on this stuff. It is probably better that I don't implement this and just go with adding an FTP user.
|Powered by Social Strata|