Re: source code security

• To: steve@mordred.gatech.edu
• Subject: Re: source code security
• From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
• Date: Wed, 13 Dec 95 09:51:34 +0100
• Cc: www-security@ns2.rutgers.edu

[late response ]

> I'm curious to know if there is any way for anyone to look at the source code
> for cgi-scripts if the code lies in a /cgi-bin directory

> if (assuming you're using NCSA's httpd) you define DocumentRoot
> to be, say, /docdir, then define something like
>
>   ScriptAlias /schmoe/cgi-bin /docdir/cgi-bin/schmoe

> (defining a "cgi-aware" directory under the DocumentRoot hierarchy) you leave
> yourself open to snoopers who can access the URL 
>
>   http://server.machine/schmoe/cgi-bin
>
> and get a listing of the directory's contents (assuming indexing is on)

First: you can define the cgi-dir using the real name - then you don't leave
that hole. 
Next I suggest to do the development in a separate dir and setting symbolic
links to that dir (don't forget to set the option FollowLinks (?) in .htaccess)

read you later  -  Holger Reif
http://remus.prakinf.tu-ilmenau.de/Reif/

• Previous: No Subject
• Next: E-Mail Address in WEB Browser.
• Index(es):
  • Index
  • Thread