Hello,

I have a problem. The website I am hosting is leaking files on the Internet, and I do not know why. I am running Apache 2.4. The permissions on the cgi-bin directory are the same as all other directories under apache24/, but every file in the cgi-bin directory is viewable by anybody. The other thing I do not understand is this: I have virtual hosts set up, and there is no cgi-bin directory under those sites. It is only located under the default apache24/ directory. So, how can anyone even access the cgi-bin directory? Anyone have any ideas? There is no sensitive information in any of the files under cgi-bin, but if people can view those files, then what else can they view?

Thanks.

What are those permissions exactly?

Are you intending to serve .cgi files?
Since you have virtualhosts setup, you could "deny all" in the conf for the cgi-bin directories. Google/other for examples
What OS? Self-hosted or otherwise? How was Apache installed and by what method (package manager/compiled from source/you got it that way)?

See first reply/Question.

Hello.

The permissions of all directories under apache24 (cgi-bin, data, error, icons) are as follows:

drwxr-xr-x

The permissions of all files under cgi-bin (and other directories) are as follows:

-rw-r--r--

No, I am not intending to serve .cgi files. Like I mentioned before, there are no cgi-bin directories in the paths of my virtual hosts; the only cgi-bin directory is in the default apache24 directory defined by httpd.conf. This is overridden by the virtual hosts, however.

So, I just realized I posted a question in a Linux forum about a FreeBSD box. So, not sure if this is going to go any further, but the OS is FreeBSD 10.1-RELEASE. I am hosting the website. I installed Apache 2.4 from the ports tree. I compiled it from source.

I am reading the results from the Google query link you sent.

Thanks.