Initial question raised in CNSC-266546.

Today we have deployed several custom add-ons.
Based on past CollabNet recommendation, some add-ons are deploying perl or python scripts stored in /var/www/cgi-bin , in order to be called as post event scripts.

If these scripts are not properly written (for example : improper input validation), they can expose the server to vulnerabilities, like external entity inclusion, which would allow an attacker to download sensitive files like /etc/passwd (path traversal attack).

If Apache was running into a specific folder (chroot jail), it would minimize the impact of such vulnerabilities.

by: Cedric Q. | over a year ago | Administration