LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-15-2005, 05:00 AM   #1
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Rep: Reputation: 31
Apache security issue


I have a HTML-written site hosted via Apache webserver. I want to re-write the site using Perl, MySQL and other stuff. For that purpose I need CGI scripts to be run (allowed only in /cgi-bin/ directory). I could put the whole site in /cgi-bin/, but then the entire URL would be ugly I heared about mod_rewrite, but I don't know it. I thought about making my DocumentRoot also a ScriptAlias (that allows CGI scripts to be run from within it - /cgi-bin/ is a ScriptAliase dir). Does that provides any significant security holes?
 
Old 04-16-2005, 02:59 AM   #2
twantrd
Senior Member
 
Registered: Nov 2002
Location: CA
Distribution: redhat 7.3
Posts: 1,440

Rep: Reputation: 52
First thing first, you never ever put your whole website under /cgi-bin/. Not only is that ugly but it's not standard and that location is mainly for scripts.

mod_rewrite is a module used by apache to do redirection and probably other things but I use it mostly for redirection purposes.

Why would you want to ScriptAlias your documentroot? You're going to run into problems if you do that. Read about ScriptAlias, Alias, location directives and all that to get a better understanding of Apache.

-twantrd
 
Old 04-16-2005, 09:08 AM   #3
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Original Poster
Rep: Reputation: 31
I've read about it, and I understand that making the whole document root ScriptAlias is bad and unusual, but can't understand why? What would happen if i have there other files than cgi scripts.. if I have there *.html or pictures..?
 
Old 04-17-2005, 01:13 PM   #4
twantrd
Senior Member
 
Registered: Nov 2002
Location: CA
Distribution: redhat 7.3
Posts: 1,440

Rep: Reputation: 52
Say you have a search.pl under /cgi-bin/ which it's main purpose is to search for keywords for your webpage. When a user requests to search something, apache will execute that script and return back to the user the information they requested. Html and jpg files are not scripts. Try putting a html or jpg file in there and review your apache logs. You will see what I mean.

-twantrd
 
Old 04-18-2005, 06:46 AM   #5
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Original Poster
Rep: Reputation: 31
Thanks, I saw they cannot be displayed, becouse they are not scripts. That's way ScriptAlias is _Script_ ;]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
bzip2 1.0.2 Security Issue win32sux Slackware 2 06-13-2005 07:49 PM
phpMyAdmin Security Issue mr_dizzle Linux - Software 2 12-28-2004 01:48 AM
webmin issue, poss security issue bejiita Slackware 3 11-03-2004 07:07 AM
Security issue in Slackware 9.1 odin123 Slackware 6 11-03-2003 09:44 AM
Security issue.. marcoc Linux - Newbie 8 05-01-2002 07:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 04:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration