I think that directory structure of OpenSRS client code
not very good. I mean that all content of lib/ and etc/ must
be moved to cgi-bin (not cgi !)directory and this can easily if not
solve, then lower risk of being cracked, because of default settings of
Apache, i.e. all stored in cgi-bin forbidden for viewing, also just
adding extension .cgi to OpenSRS.conf by default forever prevent smart
user of viewing it with error 500 and so on.
Yes, it maybe intended for lamers, but who know how much good qualified
*nix admins you can find between more than 10.000 (according to current
ref#) resellers ?
Sergei Kolodka
[EMAIL PROTECTED]
>> I'm really do not know what to say and wonder how much RSPs did that.
>> Few minutes ago i find (occasionally !!!) RSP, which site absolutely opened
>> for all visitors.
>> I don't know is it operate now and don't want teach them.
>> Anyway, there is good reason for every RSP to check their sites.
WXW> This isn't as uncommon as you would think. Fortunately, OpenSRS also
WXW> restricts access by IP, and presumably also logs IPs with
WXW> transactions, but still, you are right, this is a very unnecessary and
WXW> very high risk. Much like the many RSPs who left register.cgi in
WXW> their web accessible areas.
WXW> Even on virtual hosts where you might not have the option of storing
WXW> files outside the web accessible file system, you can use .htaccess to
WXW> prevent that file from being web accessible.
