Close CGI for Litespeed [Help PLS]

Discussion in 'CGI/Perl/Python' started by nexterr, Jan 28, 2011.

  1. nexterr

    nexterr New Member

    Litespeed webserver installed on my server to use can cgi hosting accounts can I do? Many security risk, for example, causing the CGI hacking with cgi-telnet script is inevitable.
  2. webizen

    webizen New Member

    The latest 4.1RC4 (available from below) addresses this concern.

    http://www.litespeedtech.com/packages/4.0/lsws-4.1RC4-ent-x86_64-linux.tar.gz
    http://www.litespeedtech.com/packages/4.0/lsws-4.1RC4-ent-i386-linux.tar.gz
    http://www.litespeedtech.com/packages/4.0/lsws-4.1RC4-std-i386-linux.tar.gz

    If your lsws reads httpd.conf from control panel, put the below config in your httpd.conf
    Code:
    <IfModule litespeed>
    DisableCgiOverride On
    </IfModule>
    
    If you run native lsws config, put "DisableCgiOverride On" in Apache Style Configurations (Admin Console -> Configurations -> Server -> General).

    "DisableCgiOverride On" is to prevent user from adding things like "AddHandler cgi-script .cgi .pl" at local .htaccess level.

    cgi type context(alias) needs to be removed at virtual host level if you want to completely disable cgi.
  3. Statskij

    Statskij New Member

    We have installed 4.1RC4 and made all operations in a message above with options -ExecCGI in http.conf but users still can run .cgi scripts. Have anyone suceessfully disabled .cgi in Litespeed?
    webizen, maybe you can comment, what else can be wrong on our server?
  4. webizen

    webizen New Member

    pm your server temporary access so we can take a look

Share This Page