I AGREE...... :o) - thankfully atleast the suggestions got someone further
:o)
> Bhavin Turakhia (bhavindom@directi.com) wrote:
>
> > 1) Rename all your files - anyone using the opensrs knows all the
> filenames
> > and therfore leves a security hole
> The cgi files are called by the web-browser anyway. Renaming manage.cgi to
> manager.cgi won't help, because the user can see the new name in the
> browser. Assuming that the attacker had found a way to read any file that
> the web-server user could read. They could read the cgi, and get the path
> for the config files.
>
> > 2) if you have directory browsing allowed then put an index.html in all
> the
> > directories something which does not come when you untar the
> opensrs files
> Rather just turn directory browsing off for your OpenSRS document tree.
> Also, if its in a Script directory, it won't do directory listings anyway.
>
> > 3) rename opensrs.conf to opensrs.cgi so that it cannot be read from the
> > browser if you have it in your normal http path
> This will only work if you have set up your webserver to treat
> files with a
> .cgi extention as a CGI, rather than the more secure ScriptAlias.
>
> The problem with Bhavin's suggestions is that although they might
> appear to
> add a level of security, they're really just making it slightly harder by
> obscuring the implementation details. Security through obscurity doesn't
> work, to secure OpenSRS you will need to isolate the cgi's from the
> configuration and to ensure that the entire system can only be
> accessed in a
> controlled manner.
>
> --
> Grant
>
>
>
>
>
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:22 EDT