Web host disabled perl / cgi outside of cgi-bin... is that really necessary?
I have been with the same web host for 7 years with mostly only minor/standard issues to date. I noticed a problem the other night with a perl script I was uploading (kept trying to download) and hadn't figured it out until I saw the below email...
Looks like this was a server wide change... maybe even all their servers are being switched over like this. I believe they have hundreds of servers with ten of thousands of websites (virtual hosting), so this will affect many people.
Subject: Emergency Security Updates on server
Dear Valuable Customer,
We would like to inform you that due to security reasons we have changed
couple of settings related to perl and cgi. We have blocked the .cgi .pl
.plx .ppl .perl scripts using outside of the cgi-bin folder due to security
purpose,so to use those handlers please keep in cgi-bin folder. By allowing
these above handlers in other folders spammers are running spam scripts at root
level folders and sending spam mails from server. Due to this IP is getting
frequently blocked by email providers. We request you please kindly keep
handlers in cgi-bin folder.
Your cooperation in this regard will be appreciated.
Is this really any more secure?
Can't malicious scripts be run from the cgi-bin too?
Wouldn't this basically kill someones site/rankings if they were using Movable Type and had to move to /cgi-bin/ ?
Can't PHP accomplish the same thing?
I know I have a ton of scripts that will be affected by this and I haven't even begun to try to unravel where they all are. This will be a huge hassle.
Lastly, having cgi-bin in the URL is not appealing to me at all. I may have to switch over to PHP as my main development tool to avoid these troubles.
It is pretty uncool they didn't give even 7 days notice for people to switch things over.
What would you have done if you were the host?