Re: [cgiwrap-users] Preventing direct access to CGIWRAP?
Brought to you by:
nneul
Menu
▾
▴
Re: [cgiwrap-users] Preventing direct access to CGIWRAP?
|
From: Joe H. <on...@dc...> - 2001-11-26 16:08:57
|
On Mon, 26 Nov 2001 ce...@sm... wrote: > Hi, > > I am using CGIWRAP seemlessly with the AddHandler / Action directives with > apache. I just discovered that it was possible to execute a script that is > located in a password protected directory using .htaccess file. > > When accessing http://www.website.com/protected/script.cgi, Apache won't > allow unauthorized access because there is a .htaccess file with the right > directives in the protected directory. When supplying the right password, > apache will execute the script by calling CGIWRAP. This is all good. > > Although, you guessed it, if one calls > http://www.website.com/cgibin/cgiwrap/username/protected/script.cgi, it is > easy to breach in. > > I would like to prevent cgiwrap to be accessed directly, like in the second > exemple. Is there a way to do this? Well, I would think that you'd have different environmental variables set when called through the two different paths. You might check if there's something that you can key off of, so that you can reject if it's not being called through the way which you prefer. ----- Joe Hourcle |
