(Strange post, so hopefully this won't be as strange a reply).
On the subject of security flaws: it is considered general bad practice to store cgi-bin scripts within the document root of the web server. Even the W3C eludes to it under "Are compiled languages such as C safer ..." in their World Wide Web Security FAQ:
Consider the following scenario. For convenience's sake, you've decided
to identify CGI scripts to the server
using the .cgi extension. Later on,
you need to make a small change to an
interpreted CGI script. You open it up
with the Emacs text editor and modify
the script. Unfortunately the edit
leaves a backup copy of the script
source code lying around in the
document tree. Although the remote
user can't obtain the source code by
fetching the script itself, he can now
obtain the backup copy by blindly
requesting the URL:
http://your-site/a/path/your_script.cgi~
(This is another good reason to limit
CGI scripts to cgi-bin and to make
sure that cgi-bin is separate from the
document root.)
This is not as significant a threat as the ability to write a file within the document root. However, an attacker could obtain the source code of the cgi, devise a directed attack against it, and use it as a stepping stone into the server.
To mitigate this, you can add the following lines to the lighttpd.conf (or some variation therein) to direct cgi-bin to a directory separate from the /var/www/lighttpd document root.
$HTTP["url"] =~ "/cgi-bin/" { cgi.assign = ( "" => "" ) }
alias.url = ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )
This requires both the cgi and alias modules for lighttpd.
Either pasv_address
needs to be the external IP address, or pasv_addr_resolve=YES
needs to be set so that the hostname you entered will be resolved when vsftpd starts. If you use a hostname with pasv_addr_resolve, vsftpd has to be restarted if the IP address changes.
Best Answer
SSH, which is already running, provides SFTP. The same key you login to SSH with allows SFTP logins. The SFTP service is provided by SSH, the same software that lets you log in.
You can add users and allow them to login via SFTP. This for example makes it easier to create a user that only has access to your webroot. I have an article about that for Amazon Linux on my blog, which includes some pictures. The essential parts are
Create a new user
Create a new key pair
Allow the user to log in