LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Apache security issue (https://www.linuxquestions.org/questions/linux-general-1/apache-security-issue-313470/)

ivanatora 04-15-2005 05:00 AM

Apache security issue
 
I have a HTML-written site hosted via Apache webserver. I want to re-write the site using Perl, MySQL and other stuff. For that purpose I need CGI scripts to be run (allowed only in /cgi-bin/ directory). I could put the whole site in /cgi-bin/, but then the entire URL would be ugly ;) I heared about mod_rewrite, but I don't know it. I thought about making my DocumentRoot also a ScriptAlias (that allows CGI scripts to be run from within it - /cgi-bin/ is a ScriptAliase dir). Does that provides any significant security holes?

twantrd 04-16-2005 02:59 AM

First thing first, you never ever put your whole website under /cgi-bin/. Not only is that ugly but it's not standard and that location is mainly for scripts.

mod_rewrite is a module used by apache to do redirection and probably other things but I use it mostly for redirection purposes.

Why would you want to ScriptAlias your documentroot? You're going to run into problems if you do that. Read about ScriptAlias, Alias, location directives and all that to get a better understanding of Apache.

-twantrd

ivanatora 04-16-2005 09:08 AM

I've read about it, and I understand that making the whole document root ScriptAlias is bad and unusual, but can't understand why? What would happen if i have there other files than cgi scripts.. if I have there *.html or pictures..?

twantrd 04-17-2005 01:13 PM

Say you have a search.pl under /cgi-bin/ which it's main purpose is to search for keywords for your webpage. When a user requests to search something, apache will execute that script and return back to the user the information they requested. Html and jpg files are not scripts. Try putting a html or jpg file in there and review your apache logs. You will see what I mean.

-twantrd

ivanatora 04-18-2005 06:46 AM

Thanks, I saw they cannot be displayed, becouse they are not scripts. That's way ScriptAlias is _Script_ ;]


All times are GMT -5. The time now is 04:20 PM.