disable cgi


I'm managing some dedicated servers which only php scripts are hosted on them. I want to completely disable cgi on all virtual servers as it's not needed at all, it just make it possible for hackers to upload and execute cgi shells on websites.In other words why I should have a module on the server while it's not being used at all ??

I've tried to do it but it's not possible as when I uncheck 'Automatically add appropriate SuExec directive?' in apache template, it says 'PHP scripts cannot be run as the domain owner unless suexec is enabled'. I tried to change php-fcgi to php-cgi but it doesn't matter and the same error occurs.

Is it any workaround available for this ??



CGI support is indeed needed to run PHP scripts with domain owner permissions..

The only time it can be turned off is when PHP scripts are run via mod_php, as the Apache user.

I don't see how disabling CGI helps much from a security point of view, as an attacker could still upload a PHP script and run that via the web.

Mostafa's picture
Submitted by Mostafa on Wed, 08/01/2012 - 15:44

[Security First]

So mod_suphp can fix this ! Both the cgi will be disabled and the php scripts will be run as the owner.

I'm controlling the php scripts using Location tag, here's the configuration I've used for joomla sites :

< Location ~ .php>

deny from all

< /Location >

< Location ~ ^/(index|index2).php$>

allow from all

< /Location >

< Location ~ ^/administrator/(index|index2).php$>

allow from all

< /Location >

a chattr +i on the above four files will prevent any overwrite of the files.

[/Security First]

We aren't likely to add mod_suphp support any time soon, due to the overhead of handling yet another PHP execution type.

Maybe you could change the default Apache configuration for your virtual hosts to disallow CGI scripts except for in fcgi-bin , which is where the scripts used to run PHP as the domain owner are located? You can do this at System Settings -> Server Templates -> Default Settings -> Apache website.