#3 Possible Security Hole

[Anonymous]

I had tried out DB_Browser and it works great! Its
wonderful. But I am concerned as by default the
CONFIG.pm is stored in the same dir as the .cgi which
could be okay if the webserver was set up to ignore
these files, but many are not. I do not know perl and
am not good at programming, but I was wondering if
there was an easy way to keep users from accessing
these files.. I see that your demo does nothing to
stop this... for example
http://www.summersault.com/software/db_browser/demo/CONFIG.pm
shows your config file (unless this is fake to deter
people)

I would like to know a recommended way to protect this
file, for now I just renamed it to something else that
would keep someone from finding it.

Any thoughts would be appreciated, and I think this
should go in the readme or faq

Thanks,
Daniel

[Chris Hardie]

Logged In: YES
user_id=8993

Daniel,

Your point is a good one. In general, I recommend against
running DB_Browser in a public environment, as it is
already a very powerful tool allowing someone to alter data
in a database. (If they're doing that, letting them see
the config information may be the least vulnerable thing
you can do).

However, the practice of putting a config file in a web-
accessible directory is a poor one, and one I need to
rememdy. In the short term, you could move the config file
out of a web-accesible directory, and update the scripts
and other perl module files to point to that location, as
needed. In the next release, I'll make a note to do the
same.

Thanks,
Chris

[Chris Hardie]

Logged In: YES
user_id=8993

Classified as bug for re-organization in next release.