You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Nigel Peck - MIS Web Design <ni...@miswebdesign.com> on 2003/07/14 23:58:42 UTC
[users@httpd] cgi-bin as a subdirectory of document root
I am 99.9% sure this is wrong, can someone point me to a page that explains why?
How does it make it easier to break into?
Cheers,
Nigel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] cgi-bin as a subdirectory of document root
Posted by Nigel Peck - MIS Web Design <ni...@miswebdesign.com>.
Thanks
> -----Original Message-----
> From: Joshua Slive [mailto:joshua@slive.ca]
> Sent: 15 July 2003 01:03
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] cgi-bin as a subdirectory of document root
>
>
>
> On Mon, 14 Jul 2003, Nigel Peck - MIS Web Design wrote:
>
> > I am 99.9% sure this is wrong, can someone point me to a page
> that explains why?
> >
> > How does it make it easier to break into?
>
> It is not a huge deal, just a "best practice" sort of thing.
>
> If your cgi scripts are not inside the document root (ie, you are using
> ScriptAlias) and you accidentally turn off the cgi configuration (for
> example, by removing the ScriptAlias line), then the cgi scripts become
> completely innaccessible. On the other hand, if your cgi scripts are
> under the document root (using AddHandler or SetHandler) and you
> accidentally remove the directives, then the source-code of your cgi
> scripts become accessible, possibly revealing valuable things to
> attackers.
>
> In addition, the document root often has more liberal access permissions
> than the cgi directory, so you would need to be careful in enforcing
> additional restrictions if the cgi directory was under the document root.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] cgi-bin as a subdirectory of document root
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, 14 Jul 2003, Nigel Peck - MIS Web Design wrote:
> I am 99.9% sure this is wrong, can someone point me to a page that explains why?
>
> How does it make it easier to break into?
It is not a huge deal, just a "best practice" sort of thing.
If your cgi scripts are not inside the document root (ie, you are using
ScriptAlias) and you accidentally turn off the cgi configuration (for
example, by removing the ScriptAlias line), then the cgi scripts become
completely innaccessible. On the other hand, if your cgi scripts are
under the document root (using AddHandler or SetHandler) and you
accidentally remove the directives, then the source-code of your cgi
scripts become accessible, possibly revealing valuable things to
attackers.
In addition, the document root often has more liberal access permissions
than the cgi directory, so you would need to be careful in enforcing
additional restrictions if the cgi directory was under the document root.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org