[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] All folders visable on whole server
- Subject: Re: [cobalt-users] All folders visable on whole server
- From: "Brian Curtis" <admin@xxxxxxxxxxx>
- Date: Sat Dec 9 05:16:01 2000
- Organization: Pomfret Computer Technologies
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> > Forgot to add to my last message:
> >
> > <Files ~ "^adminpro\.(cgi|pl)$">
> > Order allow,deny
> > Deny from all
> > </Files>
> >
> > Test: http://www.ctusa.net/cgi-bin/adminpro.cgi
>
> Hi!
>
> Could someone just rename the script something like 'notadminpro.cgi' and
> still run it?
Yes, and I had mentioned that in a previous email. However, taken directly
from adminpro.cgi:
#
# DO NOT change the name of this script as its performance will
# be adversely affected. However, you may change the extension
# to ".pl" if ".cgi" is not supported by your server.
#
> Is there a way we could sniff out the contents of the file or
> something, or check for the ID of the person who is using the program and
> only give them access to their directories...?
>
> Thank you for this security clue, btw!
>
> -Dee Dreslough
> (Raq newbie... :) )
Well, there's no way to "sniff out" the script that I can think of which
wouldn't create some serious system overhead (i.e. inspecting the contents
of every perl/cgi script using something run from cron on a regular basis).
I know there's a few tools available which monitor your filesystem for odd
file permissions/changes, but I don't know if they can be customized to
search for a certain script containing "xyz" text. Might be something to
look into.
--
Brian Curtis