Through perl scripts, end customers can acquire some information on the Windows web hardware node. Is it safe?
After a thorough investigation by the security team , it was determined, that it is possible to run some commands, but it is allowed to the web user - which is the meaning of CGI, when the user is allowed to run commands. Even if it would be prohibited to run specific command(
ipconfig e.g), it would still be possible to gather the same information using pure Perl and Windows-specific modules, e.g.:
To restrict Perl completely, it is possible to leave only ASP.NET on the node and remove other scripting packages. You would need to do the following:
- In POA PP, go to Deployment Director > Server Manager >
- Access the node, and remove
Win+R > appwiz.cpl.
The same can be done with PHP packages and application.