UBB.Developers Forums Community Development Programming PHP and Server-side Scripting Is it possible to read a .cgi file before it gets processed by the server?

Was wondering if this was possible. I don't think it is, but i'm not sure. If it is possible, then there really isn't any such thing as security on any .cgi board.

I'm only referring through http btw, not ftp. And more specifically, Apache web servers.

I'm asking because I've been trying to secure my website, and one of the ways I did this was to use htaccess passwords for various files. However, I realized my .htpasswd file was vulnerable to viewing, so I renamed it .htpasswd.cgi.

I also renamed my UltBB.setup file to UltBB.setup.cgi so that directories would be hidden.

[ February 23, 2001: Message edited by: shingen ]

Well I've seen many cases where the server is having errors and did not excute the script and allowed me to download them. Which was a big security thing....

It depends on whether the server is configured properly.

Whenever possible, files that do not need to be accessed directly by a web browser (i.e., by URL) should be located outside the web document root.

This applies especially to .htpasswd files.

if the server is a microsoft web server, it might be vulnerable to viewing the source by opening something like this in your browser: http://www.victim.com/cgi-bin/Ultimate.cgi+.htr

That's the only bug I know.

[edit]
typo
[/edit]

[ February 23, 2001: Message edited by: Rene59 ]

And how exactly does that make directories hidden?

Well, not hidden. But certainly not accessible by simply looking at an UltBB.setup file. Yes, some files are called upon in various directories, but I'd like it if somebody didn't know where my member directory was, etc...

I'm also using htaccess to call a custom error handling script that logs all IPs, in addition to index.html files that point to this error script. It comes in handy for logging people that like to snoop around.

Oh, and thanks Dave_L for that tip about putting .htaccess files outside web document root. Didn't think about that option.

[ February 24, 2001: Message edited by: shingen ]

I can't for the life of me remember how to do it, but there's a


order deny,allow
deny from all


Type-thing that lets you deny browser access to .htaccess and .htpasswd files, that could also be adapted for .setup, I guess...