|
Apache security issue
I have a HTML-written site hosted via Apache webserver. I want to re-write the site using Perl, MySQL and other stuff. For that purpose I need CGI scripts to be run (allowed only in /cgi-bin/ directory). I could put the whole site in /cgi-bin/, but then the entire URL would be ugly ;) I heared about mod_rewrite, but I don't know it. I thought about making my DocumentRoot also a ScriptAlias (that allows CGI scripts to be run from within it - /cgi-bin/ is a ScriptAliase dir). Does that provides any significant security holes?
|
First thing first, you never ever put your whole website under /cgi-bin/. Not only is that ugly but it's not standard and that location is mainly for scripts.
mod_rewrite is a module used by apache to do redirection and probably other things but I use it mostly for redirection purposes. Why would you want to ScriptAlias your documentroot? You're going to run into problems if you do that. Read about ScriptAlias, Alias, location directives and all that to get a better understanding of Apache. -twantrd |
I've read about it, and I understand that making the whole document root ScriptAlias is bad and unusual, but can't understand why? What would happen if i have there other files than cgi scripts.. if I have there *.html or pictures..?
|
Say you have a search.pl under /cgi-bin/ which it's main purpose is to search for keywords for your webpage. When a user requests to search something, apache will execute that script and return back to the user the information they requested. Html and jpg files are not scripts. Try putting a html or jpg file in there and review your apache logs. You will see what I mean.
-twantrd |
Thanks, I saw they cannot be displayed, becouse they are not scripts. That's way ScriptAlias is _Script_ ;]
|
| All times are GMT -5. The time now is 12:11 AM. |