httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <>
Subject Re: [users@httpd] Perl not working... not as resolved as I thought
Date Mon, 16 Jun 2003 04:47:57 GMT
Richard Crawford wrote:
> It was pointed out to me that if the server is set up such that someone
> view the source code for our Perl scripts, our security is dangerous.

It sure is...

> The scripts could be invoked by either:
> or
> where cfmx is the context root which is required for Cold Fusion or JSP to
> run.  Currently if the scripts are invoked with the cfmx in place, then
> source code is revealed.  Is there a way to avoid this?

I don't know much of CF or JSP, so I can't tell the best way around it, so
I'll give you a few choices:

1) If /cfmx/ shouldn't be accessed by a HTTP request, you could:

<Directory /path/to/cfmx>
    Order Allow,Deny
    Deny from all

2) If you know all the scripts' file extension, you could:

<Directory /path/to/cfmx>
    <Files ~ "\.pl">
        Order allow,deny
        Deny from all

If, which I fear, /cfmx/ is actually the same filesystem directory, the
above methods may not work, so these methods are perhaps better:

3) Let the scripts be executed instead:

<Directory /path/to/cfmx>
    Options +ExecCGI

4) Or, deny access:

<Location ^/cfmx/.+\.pl$>
        Order allow,deny
        Deny from all

Without a better understanding of your setup, I cannot suggest better
methods, although I am sure others can.

Robert Andersson

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message