[1203] in WWW Security List Archive
Re: source code security
daemon@ATHENA.MIT.EDU (Steff Watkins)
Sat Dec 2 11:17:05 1995
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
Date: Sat, 2 Dec 1995 13:20:29 +0000 (GMT)
In-Reply-To: <199512011833.AA08944@mordred.gatech.edu > from "Steve" at Dec 1, 95 01:33:14 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Steve wrote:
=>
=>
=>Hello,
=>
=>I'm curious to know if there is any way for anyone to look at the source code
=>for cgi-scripts if the code lies in a /cgi-bin directory. Typically I try to
=>develop in a directory "unknown" to the server, then move the binary into the
=>appropriate location; is this unnecessary? For example, accessing the URL
=>
=> http://server.machine/cgi-bin/
=>
=>will not give an index listing of all files in the directory. I was informed,
=>however, that if (assuming you're using NCSA's httpd) you define DocumentRoot
=>to be, say, /docdir, then define something like
=>
=> ScriptAlias /schmoe/cgi-bin /docdir/cgi-bin/schmoe
=>
=>(defining a "cgi-aware" directory under the DocumentRoot hierarchy) you leave
=>yourself open to snoopers who can access the URL
=>
=> http://server.machine/schmoe/cgi-bin
=>
=>and get a listing of the directory's contents (assuming indexing is on). From
=>that point they can click on, say, the source code for "mymailer.c" and see
=>where you made the mistake of using, oh, popen() and attack your server.
=>
=>I have yet to see this work, but still, I am curious to know if this is a
=>legitimate concern. People should probably develop in another directory
=>anyway ...
=>
=>Any input is appreciated,
Hello Steve,
the obvious answer is to then do the following:
Setup your server's binary directories as one treee (such as, in my case,
/www/) and your documents directory as another tree (such as /users).
Then in srm.conf (for NCSA), you set
srm.conf:DocumentRoot /users
srm.conf:ScriptAlias /cgi-bin/ /www/cgi-bin/
The cgi-bin directory is NOT under the document root, and so can NOT be
served out to remote users.
Steff
: University of Bristol Steff.Watkins@bris.ac.uk
: Starlink Site Manager, UBris node
: URL: http://sw.cse.bris.ac.uk/ <= As mentioned in Wired 1.04 on
: Making a fire so big the gods will notice me again!!!
