Security of server-side code?

"Brian" <us*****@juliet remblay.com.inv alid> a écrit dans le message de
news:10******** *****@corp.supe rnews.com

Still, I prefer to
put the script in a publicly accessible place with little or no
sensitive information. I keep that outside of the document root.

That's a pretty good habit indeed... But not always possible to do that,
paticularly when you're not hosted on a dedicated server and ou must share
it with lots of other web sites : in these conditions, you've got only one
place for you files.

Pierre Goiffon wrote:

"Brian" a écrit dans le message de news:

I prefer to put the script in a publicly accessible place with
little or no sensitive information. I keep that outside of the
document root.
That's a pretty good habit indeed...

Thanks. I'm quite pleased when I come up with a vaguely good idea on my
own. It happens rather infrequently, you know. ;-)
But not always possible to do that, paticularly when you're not
hosted on a dedicated server and ou must share it with lots of other
web sites :

I guess I'm lucky. As much as I hate my hosting company, they do provide
space outside of the document root. Really, it is the smart thing to do
for the hosting company. Less attacks on clients means less headaches
for tech support.

--
Brian (remove ".invalid" to email me)
http://www.tsmchughs.com/

In article <10************ *@corp.supernew s.com>, usenet3
@julietremblay. com.invalid enlightened us with...

I guess I'm lucky. As much as I hate my hosting company, they do provide
space outside of the document root. Really, it is the smart thing to do
for the hosting company. Less attacks on clients means less headaches
for tech support.

I love my hosting company, and they DO have space outside the document root.
I don't know what you're looking for or what you need to have, but I try to
plug my guys whenever I can, since they've been very good to me. They have
great tech support.
Anyway, if you want a recommendation, I'll post the link. Or you can just
whois my domain and look at the nameserver.

--
--
~kaeli~
God was my co-pilot... but then we crashed in the mountains
and I had to eat him.
http://www.ipwebdesign.net/wildAtHeart
http://www.ipwebdesign.net/kaelisSpace

In <10************ *@corp.supernew s.com>, on 08/22/2004
at 09:57 AM, Brian <us*****@juliet remblay.com.inv alid> said:

This doesn't make any sense. If the public cannot access /cgi-bin/,
what purpose can it serve?
It runs on the server, so the public has no legitimate need to access
it. The public can access the HTML that links to it.
You can, however, hide the cgi script's configuration files outside
of the document root, and only place email addresses, and sensitive
server info, in those configuration files.
Thanks. I should have thought of that :-(
Namely, NMS Formmail. You can also consider NMS TFmail. Lots more
options.
http://nms-cgi.sourceforge.net/

Thanks.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT <http://patriot.net/~shmuel>

Unsolicited bulk E-mail subject to legal action. I reserve the
right to publicly post or ridicule any abusive E-mail. Reply to
domain Patriot dot net user shmuel+news to contact me. Do not
reply to sp******@librar y.lspace.org

In <kn************ *************** *****@4ax.com>, on 08/22/2004
at 09:57 AM, Stephen Poley <sb************ ******@xs4all.n l> said:

If the server is correctly configured it is not possible for anyone
external to access cgi-bin. If it is incorrectly configured,
address-harvesters still wouldn't find the address unless someone has
linked to the file concerned.
But the whole point of a CGI program is to link to it.
The original Matt Wright version does; there are other versions
around with a better reputation.

Thanks.

--
Shmuel (Seymour J.) Metz, SysProg and JOAT <http://patriot.net/~shmuel>

Unsolicited bulk E-mail subject to legal action. I reserve the
right to publicly post or ridicule any abusive E-mail. Reply to
domain Patriot dot net user shmuel+news to contact me. Do not
reply to sp******@librar y.lspace.org

Stephen Poley <sb************ ******@xs4all.n l> said:

If the server is correctly configured it is not possible for anyone
external to access cgi-bin. If it is incorrectly configured,
address-harvesters still wouldn't find the address unless someone has
linked to the file concerned.

"Shmuel (Seymour J.) Metz" <sp******@libra ry.lspace.org.i nvalid> posted:
But the whole point of a CGI program is to link to it.

Yes, they can refer to the resource. They can send it data, and see the
results, but they can't see what's written inside the CGI program itself.

If you had something like /cgi-bin/myscript.pl and tried to load that file
directly in the browser, you wouldn't get the source code for it, you'd get
whatever the program does when it's RUN without input data (probably an
error message). But normally you get whatever the program does when it's
run with input data.

If you look at something like the NMS alternative to Matt's form mail
script, you can see a better way of offering mail forms. Rather than your
HTML form containing recipient addresses, where they're there for all to
see and and harvest, it contains ambiguous references (aliases). Inside
the script there's a table of what addresses those references should be
used to deliver to. Nobody else on the internet can read into the contents
of that file and harvest the addresses.

e.g. It works in this fashion:

In your HTML form you'd have something like:

<input type="hidden" name="recipient " value="me">

In the formmail script, you'd have data that correlates "me"
to an address to send the form data:

%recipient_alia s = (
'me' => 't**@example.co m',
'you' => 'j******@exampl e.com',
)

--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.

This message was sent without a virus, please delete some files yourself.