prevent cgi-script & .htaccess& SQL Injection

Portal Home > Knowledgebase > Articles Database > prevent cgi-script & .htaccess& SQL Injection

Posted by ngham4host, 09-06-2008, 07:02 PM
Hello, I have three problem i get i was attacket with my server 1)- SQL Injection ( How can I prevent SQL Injection IN Forumhome table IS THERE ANY RULS IN mod_security or any way to protect the vbulltin forum from SQL Injection in forumhome talbe ) 2)- 3) How to prevent users from using these orders to change some of httpd setting and php on .htaccess File Like AddHandler cgi-script .pl AddHandler cgi-script .cpc AddHandler cgi-script .txt AddHandler cgi-script .CH AddHandler cgi-script .pp Because they had add this to .htaccess and the can make the cgi scripts work outside the cgi folder 3)How can Stop all the sgi and perl scripts on my server best regards,
Posted by ngham4host, 09-07-2008, 12:28 PM
any help no one can help for that
Posted by HardLayers, 09-07-2008, 01:15 PM
I have solved this problem earlier on this section you can do the following on your httpd.conf to disable the execution of CGI-Telnet scripts which are called perl shells or what ever. search for: this might not be in the same syntax but search for something similar add this directive just below the last one this way you disabled all cgi scripts from working in the /home directory. regarding the sql injection Q changing the forumhome template is done by hackers using Mysql php scripts. they're being changed directly from the tables in the database when the hacker captures the UserName and pass of the Database through symlinking the config.php files
Posted by ngham4host, 09-08-2008, 06:22 PM
thanks for you help i did that but it is not work as i told you if i add that code in .htaccess the cgi scripts work how can i prevent any one from adding this code to .htaccess also with thanks about sql injection Q how can i prevent any hacker from reading files on server and prevent this commend cat /etc/ passwd on the server best regards,
Posted by HardLayers, 09-09-2008, 10:06 AM
Options -ExecCGI if u add this to your httpd.conf as i mentioned There's no way to execute CGI on the directory /home after you do that you have to restart apache to check if that's working or not
Posted by ngham4host, 09-09-2008, 12:26 PM
thanks this all what i hav in my httpd.conf and it not working regards,
Posted by HardLayers, 09-09-2008, 06:27 PM
that's weird man i have the following and CGI PERL don't work what so ever By the way if you take off the Fileinfo from the AllowOverride line that will mean that no one could use .htaccess to add lines such as: but that shouldn't be a problem if you're disabling execution of CGI , you can leave that untouched could you provide me with the following: 1-are u useing SuExec while compiling apache? 2-what version of apache are u using? I'm not so sure if these points are the problem but i want to compare between yours and mine Last edited by HardLayers; 09-09-2008 at 06:30 PM.
Posted by ngham4host, 09-10-2008, 08:56 PM
thanks alot 1-are u useing SuExec while compiling apache? yes what version of apache are u using? 229 regards,
Posted by HardLayers, 09-10-2008, 10:05 PM
weird man sorry, i don't know how to fix this
Posted by ngham4host, 09-11-2008, 12:02 AM
thanks alot man for your help best regards,
Posted by ktjm, 09-11-2008, 08:08 AM
i have this problem too (cgi-bin) i think we need disable addhandler function in htaccess ? Please Help We !!
Posted by JBapt, 09-11-2008, 09:29 AM
Hi, try got root (www.gotroot.com). They used to have really good rules to use in mod_security.
Posted by devways, 09-12-2008, 04:07 PM
I don't know if you going to active perl cgi scripts on your server or not , anyway the only way much pretty to disable using perl scripts edit your crontab and add this line * * * * * chmod 700 /usr/bin/perl Regards
Posted by ktjm, 09-12-2008, 05:06 PM
brother , if we disable perl . php disable too , we need disable AddHandler ....
Posted by ngham4host, 09-12-2008, 05:09 PM
thats what we need