Publishing cgi scripts on CSUSAP

As the execution of ill-designed cgi scripts can cause unwelcome surprises for the unsuspecting programmer, DIT has taken steps to minimise the security risk of script execution, and in particular, buffer overflow vulnerabilities which can be exploited by malicious users feeding scripts something they can't digest.

In particular, script files that reside under a public_html directory can be browsed, giving the unwanted feature of people being able to view the script code, and look for possibilities of feeding them stuff they could choke on.

For this reason, the Apache server on csusap has been configured NOT to allow the execution of any scripts under a public_html directory. It has been configured this way for quite some time.

The correct method for executing cgi scripts on csusap is as follows:

create a directory under your home directory, called cgi-bin, and make it rwxr-xr-x:
"cd; mkdir cgi-bin; chmod 755 cgi-bin"
there should be a link called http://csusap.csu.edu.au/cgi-pub/username, which points to the above directory.
ie. http://csusap.csu.edu.au/cgi-pub/username -> csusap:/userdata/{staff|student}/username/cgi-bin
If this link does not exist, contact the DIT Service desk (sdesk@csu.edu.au) to have it created.
use the above reference in any html files under your public_html directory when calling scripts:
ie. http://csusap.csu.edu.au/cgi-pub/username/index.cgi runs: /userdata/{staff|student}/username/cgi-bin/index.cgi

This will ensure that users cannot view the source code of a script, and hence look for vulnerabilities.

Below is a simple test you can do to ensure your cgi environment is set up correctly:

Copy the following code into a file called hello_world.cgi in the cgi-bin directory you have created under your home directory:

------------------------------------------- Cut here -------------------------------------------
#!/usr/bin/perl

print "content-type: text/html\n\n";

print "<HTML>\n";

print "<HEAD>\n";
print "<TITLE>hello, world html </TITLE>\n";
print "</HEAD>\n";

print "<BODY>\n";
print "<H2>Hello, World, in HTML </H2>\n";
print "<HR>\n";
print "<p>\n";
print "Hello, World, in HTML\n";
print "</p>\n";
print "<p>\n";
print "hello_world.cgi successfully executed\n";
print "</p>\n";
print "</BODY>\n";
print "</HTML>\n";
------------------------------------------- Cut Here -------------------------------------------

Ensure that this file has the correct permissions: chmod 755 hello_world.cgi

From a web browser, load the address http://csusap.csu.edu.au/cgi-pub/username/hello_world.cgi