Close CGI for Litespeed [Help PLS]

N

nexterr

New Member
#1
#1
Litespeed webserver installed on my server to use can cgi hosting accounts can I do? Many security risk, for example, causing the CGI hacking with cgi-telnet script is inevitable.
 
W

webizen

Well-Known Member
#2
#2
The latest 4.1RC4 (available from below) addresses this concern.

http://www.litespeedtech.com/packages/4.0/lsws-4.1RC4-ent-x86_64-linux.tar.gz
http://www.litespeedtech.com/packages/4.0/lsws-4.1RC4-ent-i386-linux.tar.gz
http://www.litespeedtech.com/packages/4.0/lsws-4.1RC4-std-i386-linux.tar.gz

If your lsws reads httpd.conf from control panel, put the below config in your httpd.conf
Code: 
<IfModule litespeed>
DisableCgiOverride On
</IfModule>
If you run native lsws config, put "DisableCgiOverride On" in Apache Style Configurations (Admin Console -> Configurations -> Server -> General).

"DisableCgiOverride On" is to prevent user from adding things like "AddHandler cgi-script .cgi .pl" at local .htaccess level.

cgi type context(alias) needs to be removed at virtual host level if you want to completely disable cgi.
 
S

Statskij

Active Member
#3
#3
We have installed 4.1RC4 and made all operations in a message above with options -ExecCGI in http.conf but users still can run .cgi scripts. Have anyone suceessfully disabled .cgi in Litespeed?
webizen, maybe you can comment, what else can be wrong on our server?
 
You must log in or register to reply here.
Top