Bhavin Turakhia (bhavindom@directi.com) wrote:
> 1) Rename all your files - anyone using the opensrs knows all the
filenames
> and therfore leves a security hole
The cgi files are called by the web-browser anyway. Renaming manage.cgi to
manager.cgi won't help, because the user can see the new name in the
browser. Assuming that the attacker had found a way to read any file that
the web-server user could read. They could read the cgi, and get the path
for the config files.
> 2) if you have directory browsing allowed then put an index.html in all
the
> directories something which does not come when you untar the opensrs files
Rather just turn directory browsing off for your OpenSRS document tree.
Also, if its in a Script directory, it won't do directory listings anyway.
> 3) rename opensrs.conf to opensrs.cgi so that it cannot be read from the
> browser if you have it in your normal http path
This will only work if you have set up your webserver to treat files with a
.cgi extention as a CGI, rather than the more secure ScriptAlias.
The problem with Bhavin's suggestions is that although they might appear to
add a level of security, they're really just making it slightly harder by
obscuring the implementation details. Security through obscurity doesn't
work, to secure OpenSRS you will need to isolate the cgi's from the
configuration and to ensure that the entire system can only be accessed in a
controlled manner.
-- Grant
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:22 EDT