CGI-BIN security level???

[jacksondorado]

HI,

How secure is the CGI-BIN on an Apache Server? If I have a text file in the bin, can it be accessed by anyone externally?

thanks,
Bill

 

[smah]

Yes, someone can access a text file in the cgi-bin directory, if they know (or can guess) the name or you have directory listings enabled.

 

[goBoating]

Sorry, but, that is not correct.

If you have done a reasonable job of setting up your apache server, it will NOT serve a text file directly from your cgi-bin. You can write a cgi application to read and output a text file, but the server will not do it (unless you do something to tell the server to do it).

In general, there are two locations from which apache will generate output in response to a HTTP request. The first is the 'html' or 'htdocs' directory and its sub-directories. From the 'html' directory, apache will certainly server text. The second location is the cgi-bin directory and its sub-directories. For security reasons, apache will only return output from this as the result of running a well-behaved CGI app. Case in point: CGI apps written in Perl are just text files. If apache allowed the general public to see the text of a Perl/CGI it would make that CGI a prime target for hacking.

That having been said (typed), you can certainly corrupt this separation of html and cgi directories and sometimes with good reason. I WOULD NEVER DO THIS ON A SERVER THE PUBLIC COULD SEE. You can put a link from your html directory to the front of your cgi directory.

html path
/var/

http://www/html/

cgi-bin path
/var/

http://www/cgi-bin/

link from html to cgi-bin
ln -s /var/

http://www/cgi-bin/

/var/

http://www/html/to_cgi/

If you created that link, you'd be able to hit:

http://yourserver/to_cgi/

and see the cgi-bin directory structure. THIS REPRESENTS A HUGE SECURITY RISK! YOU WILL BE SHOWING ANY ONE WHO CAN HIT THAT SERVER EXACTLY WHAT YOUR CGI CODE LOOKS LIKE....NOT A GOOD IDEA. One good reason for doing this is, on a development platform, you can keep your html and cgi code in the same sub directory of your cgi path..... a little convinience.

Please see the apache documenation on it security measures and please take a look at

http://www.w3.org/Security/Faq/www-security-faq.html

'hope this helps

If you are new to Tek-Tips, please use descriptive titles, check the FAQs, and beware the evil typo.

 

[smah]

Yes, I was mistaken. I assumed that if you knew the name of the text file (with .txt extension) and could access it directly, that it would display in a browser. But, I just tested it, and I get an internal server error.

 

[jacksondorado]

Thanks,

that is the result I got from testing. I'm just wondering how some of my email addresses with my webhost are being used by the SoBigE virus.

 

[Newposter]

"Systems Not Affected: Macintosh, OS/2, UNIX, Linux"

There's your solution. Close Windows and nail them shut.

Newposter
"Good judgment comes from experience. Experience comes from bad judgment."

 

[goBoating]

Like Newposter said, that virus (as are most) preys upon and uses Windoze machines. It propogates itself via email.

I hesitate to pour fuel on a religious war, but, I tend to agree with Newposters' remedy. See

http://www.redhat.com

'hope this helps

If you are new to Tek-Tips, please use descriptive titles, check the FAQs, and beware the evil typo.