httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] cgi-bin as a subdirectory of document root
Date Tue, 15 Jul 2003 00:02:44 GMT

On Mon, 14 Jul 2003, Nigel Peck - MIS Web Design wrote:

> I am 99.9% sure this is wrong, can someone point me to a page that explains why?
>
> How does it make it easier to break into?

It is not a huge deal, just a "best practice" sort of thing.

If your cgi scripts are not inside the document root (ie, you are using
ScriptAlias) and you accidentally turn off the cgi configuration (for
example, by removing the ScriptAlias line), then the cgi scripts become
completely innaccessible.  On the other hand, if your cgi scripts are
under the document root (using AddHandler or SetHandler) and you
accidentally remove the directives, then the source-code of your cgi
scripts become accessible, possibly revealing valuable things to
attackers.

In addition, the document root often has more liberal access permissions
than the cgi directory, so you would need to be careful in enforcing
additional restrictions if the cgi directory was under the document root.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message