[1228] in WWW Security List Archive
Re: source code security
daemon@ATHENA.MIT.EDU (Holger Reif)
Wed Dec 13 06:49:41 1995
Date: Wed, 13 Dec 95 09:51:34 +0100
From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
To: steve@mordred.gatech.edu
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
[late response ]
> I'm curious to know if there is any way for anyone to look at the source code
> for cgi-scripts if the code lies in a /cgi-bin directory
> if (assuming you're using NCSA's httpd) you define DocumentRoot
> to be, say, /docdir, then define something like
>
> ScriptAlias /schmoe/cgi-bin /docdir/cgi-bin/schmoe
> (defining a "cgi-aware" directory under the DocumentRoot hierarchy) you leave
> yourself open to snoopers who can access the URL
>
> http://server.machine/schmoe/cgi-bin
>
> and get a listing of the directory's contents (assuming indexing is on)
First: you can define the cgi-dir using the real name - then you don't leave
that hole.
Next I suggest to do the development in a separate dir and setting symbolic
links to that dir (don't forget to set the option FollowLinks (?) in .htaccess)
read you later - Holger Reif
http://remus.prakinf.tu-ilmenau.de/Reif/
