[Previous] [Next] [Index]
[Thread]
Re: source code security
[late response ]
> I'm curious to know if there is any way for anyone to look at the source code
> for cgi-scripts if the code lies in a /cgi-bin directory
> if (assuming you're using NCSA's httpd) you define DocumentRoot
> to be, say, /docdir, then define something like
>
> ScriptAlias /schmoe/cgi-bin /docdir/cgi-bin/schmoe
> (defining a "cgi-aware" directory under the DocumentRoot hierarchy) you leave
> yourself open to snoopers who can access the URL
>
> http://server.machine/schmoe/cgi-bin
>
> and get a listing of the directory's contents (assuming indexing is on)
First: you can define the cgi-dir using the real name - then you don't leave
that hole.
Next I suggest to do the development in a separate dir and setting symbolic
links to that dir (don't forget to set the option FollowLinks (?) in .htaccess)
read you later - Holger Reif
http://remus.prakinf.tu-ilmenau.de/Reif/