Re: [cobalt-users] Cgi scripts allow browsing through virtual sites

["support" <satan@xxxxxxxxxxxxxxxx>]

Thank Carrie,
I totally agree with that, even simple telnet and pico will allow other user
of the raq to see your connections string !!!

I m wondering if it have a chmod that will allow the page to connect
database, the IUSER to see the contents but not telnet/php/asp/cgi script to
read the connection string in the page or a reference page.

Anyone have an Idea or tricks ?

Stephan !
satan@xxxxxxxxxxxxxxxx


----- Original Message -----
From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, May 08, 2001 2:50 PM
Subject: Re: [cobalt-users] Cgi scripts allow browsing through virtual sites


> > Mysql is not to bad, you can set the from where the user will
> connect and
> > right of this user, only read should be the best but a database is
> used
> > especially when you want input from the outside world, so you will
> probably
> > have write right too..
>
> Even with keeping stuff in MySQL databases you still have to watch
> out, because the script has to have the username/password combo
> *somewhere* in some file so it's allowed to access the database.
> Anyone else on the machine can just browse around (with a CGI or PHP
> script) until they find that file that the script is using, and
> badda-bing!... they've got access to the database. :(
>
> You mentioned that the .htaccess is disabled - this is easily fixed
> with a change to the srm.conf file, unless you don't want to break
> your warranty. (Or is it the access.conf file? I keep forgetting until
> I actually get in there. One of those two.)
>
> Next time, say your name so I know what to call you! *smile*
>
> CarrieB
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users