At 22:56 02/04/2001, you wrote:
>On Mon, Apr 02, 2001 at 09:45:59PM +0100, Dave Cross wrote:
>
> > As it`s not in my cgi-bin directory I`d expect to be shown the source of
> > the script when I access this page. Instead the web server tries to run
> the
> > script (and gives an error as the execute flag is not set). Even right
> > clicking on a link and choosing `save as` seems to execute the script
> > rather than delivering the source.
>
>I do hope that you were acting the stupid-user role there ;-) Of *course*
>it does the same thing regardless of which mouse button you use. They're
>all GET requests, the choice of mouse button just makes the browser behave
>in a different manner.
Yeah. Just trying to find out how much he knew.
> > Allowing executable scripts outside of /cgi-bin seems like a potential
> > security problem to me and it`s certainly not how I`d expect to see a web
> > server configured.
>
>It's how I configure my servers, and I don't see any particular security
>holes. Of course, I can trust my users not to upload malware, and the
>web server has very few rights. If I want people to download the source to
>one of my files instead of executing it, I turn off execute permissions.
>There are times when I want them to do *both*, so I have the one file
>(eg demo-code.pl) and reference it with two URLs, demo-code.pl and
>demo-code.pl.src. The .src URL fails (no such file) so goes to a custom
>404 handler, which Does The Right Thing. Actually, you can do that with
>any file on my webshite. I see no problem with giving people access to
>all the source. Any passwords and the like get pulled in from files outside
>the web hierarchy.
I know. We had this discussion recently. It's not really the security
aspect that bothers me - more that they seem incapable of configuring a web
server in a way that is so common and so obvious.
> > to which, I got the following response:
> >
> > ok you are now restricted to designated cgi directorys, and no it is
> not as
> > dangerous as you may think the only way people can gain access to add
> > scripts is to use your username and password to upload the script in the
> > first place, plus someone has to find your webserver and also have the
> > knowledge to be able to get past my security on the server. this brings it
> > down to probably a handfull of people in the uk or usa that have these
> > skills, and luckily i know most of these people so i think your sites safe.
>
>DANGER WILL ROBINSON!
Yep. That was the _really_ scary part :)
Dave...
--
<http://www.dave.org.uk> SMS: [EMAIL PROTECTED]
<plug>Data Munging with Perl <http://www.manning.com/cross/></plug>
