Hello,

Yesterday I shared that when trying to access the db.cgi script (server/cgi-bin/db.cgi) I received a 404 error. I received help from JPD and made sure that the settings were correct in the default.cfg file as advised.

The problem still remained. So after mulling the issue over a bit more, I finally removed all the modified files and uploaded the original files, making sure that I modified the default.cfg file to reflect the correct path to the dbman folder in the cgi-bin.

I also made certain that each file was uploaded in ASCII and that they were all chmod'd correctly. I still receive the error.

I am at a complete loss as to what I should do or where to look. If someone could help me or direct me to a source for help, I would be ever so grateful. I am really in a pickle over here. ;)

Thank you!

Best Regards,

Kim Lanners



Software Made Easy
http://sme-net.com

The only thing I can suggest is to let me take a look at your default.cfg file.

Copy the file to a web-accessible directory (one where you would place .html files) and rename it to default_cfg.txt. Then come back here and let me know where I can pick it up. I'll see if I can figure it out.

PS. It's better to respond to your previous thread when you're dealing with the same problem than to start a new thread. That way I can follow the progress of the discussion and am less likely to repeat myself.


JPD
http://www.jpdeni.com/dbman/

Hello,

My apologies for not keeping with the thread and thank you for pointing out this fact. ;)

I have saved the default.cfg file as per your request. You can access it at: http://viewpointdesign.net/proofs/proofs/default_cfg.txt

This project is currently being developed under the proofs directory. (http://viewpointdesign.net/proofs) Meaning that the client has their current site active at top level (http://viewpointdesign.net) in which they want to keep active until I have finished the new site. You should know that I have all the dbman files located at root (top) level (http://viewpointdesign.net/cgi-bin/) verses under the /proofs directory.

After I posted my request, I messed around some more with trying to access http://viewpointdesign.net/cgi-bin/db.cgi. [I turn into a bulldog when I can't figure out something ;)]

As you know, typing in http://viewpointdesign.net/cgi-bin/db.cgi returns a 404 error. But I found that if I type in http://viewpointdesign.net/cgi-bin/dbman/db.cgi - I am presented with the full directory layout. ?? Thus leaving a door wide open for anyone to look in all files. I made certain that the file db.cgi had been updated to reflect the two modifications Alex released a couple of days ago, so I then checked to make sure that the index.html file was properly uploaded under the 'auth' directory. It was.

I have obviously done something wrong, but I have no clue as to what or how to rectify the issue.

I sure appreciate you taking the time to help this 'ole girl out. ;)

Best Regards,

Kim Lanners



Software Made Easy
http://sme-net.com

I just accessed your database by going to http://viewpointdesign.net/cgi-bin/dbman/db.cgi. I entered a default password and got right into the database. No problem.

I did get the 404 error when I tried to access it at http://viewpointdesign.net/cgi-bin/db.cgi.

When I accessed the directory at http://viewpointdesign.net/cgi-bin/ I got the directory listing of your cgi-bin, which showed a "dbman" directory. Accessing http://viewpointdesign.net/cgi-bin/dbman/ gave me all of the DBMan files.

There are definite security issues here. I'll have to look around to see what can be done for this. I haven't had to deal with it myself, since my server does not allow the listing of a directory that's within a cgi-bin.

First, try accessing the first URL I have above and see if you can get into the database.

(I like helping "'ole girls" out. I'm one myself!! )

JPD
http://www.jpdeni.com/dbman/

Hi JPD,

Thank you! Not only for taking a look, but also confirming I have not lost my mind. ; )

I will also look for references of access to the cgi-bin in this manner. Now I'm more curious than ever! ;)

Best Regards,

Kim



Software Made Easy
http://sme-net.com

Oh, you could very well be losing your mind. Just not on this issue.

I've seen references to using .htaccess files in the dbman directory to prevent viewing. I'm not sure how that works, though. Let's hope someone else will come along with a magic wand to solve the problem.

JPD
http://www.jpdeni.com/dbman/

Hi JPD,

Thanks for the reply. I had outside appointments, otherwise I would've responded sooner.

I have placed my query out on two other forums to see if I can get some feedback. As well as contacted the host provider for this client - (they will contact me within 24 hours). When I receive an answer that will resolve this issue, I will post it here so that if someone else encounters this, they will not yank their hair out. I now sport the 'Kojak-ette' look. ;)

Many thanks again for your assistance!

Kim

P.S. I too, had heard mention of the .htaccess file being placed within cgi-bin. I am surprised, as you were, that the cgi-bin is left wide open such as it is. My account is locked down, but on another server.

Software Made Easy
http://sme-net.com

To learn more about .htaccess and how to create the file, visit the FAQ below and go to the main portion of the site. There's many webmaster tips and trick on that site.

A simple method of not displaying your file list in to just create a blank file and name it index.htm and place it in your cgi-bin directory.


Unoffical DBMan FAQ
http://webmagic.hypermart.net/dbman/

Lois, maybe you can answer this. If I (or Kim) were to put an .htaccess file within the dbman directory, would people be able to access the database without having to log in via the .htaccess thing? Or if it was in the cgi-bin, with the dbman directory below it?

Yes, putting an index.html file in both the cgi-bin and the dbman directory will prevent a listing of the files in the directory. I put one in my Mods directory so I could have temporary files in there without people coming in and taking them before they were ready.

(I see that Kim has already done this. Good job! )

But for Kim's clients, if someone knows the names of the files, they would still be able to access them. For example, I typed in http://viewpointdesign.net/...in/dbman/default.cfg and got the .cfg file to come up in my browser. What's worse is that I also got the .pass file to come up.

Lois, I know that you know that this isn't the be-all and end-all of security. But I did want to mention it.

Also, I couldn't find the info on your site about .htaccess. Which link do I need to follow for it?

JPD
http://www.jpdeni.com/dbman/

Thank you for your reply. I was just getting ready to re-post to the group and share that I had found the problem and what I have done to resolve the issue.

You are right in that I needed to insert an .html file into each directory to disallow snoopers.

I admit it took me a while to understand this. What stumbled me up was that I am used to hosting providers securing the cgi-bin. I then proceeded to create the .html file and placed it in each directory under the cgi-bin at that time. I currently use this method under other directories. It just never dawned on me what was really the issue.....I must secure the client's cgi-bin manually. ;)

I also created an .htaccess file with custom error pages while I was at it. Thanks for the tip on the place for creating .htaccess files. I will go out there immediately when I am done. If I understood correctly in reading, I can accomplish the same thing as the .html file does by inserting one line into the .htaccess file that keeps the files within all directories closed to viewing? If so, I will use that method for future projects.

Additionally, the reason I could not access the logon screen was due to the fact that I had the wrong path for the $db_dir_url. I do believe I had looked at it so long to comfirm that I was right, that I my mind registered it as correct. ;) So the moral of the story.....two minds are better than one! ; )

Thanks for your help! I also want to take the time to thank JPD for all of her assistance as well!

Best Regards,

Kim Lanners

Software Made Easy
http://sme-net.com

The .htaccess file bascially keeps people from getting a listing or your files.

You should only have to place one .htaccess file in your root directory to prevent directories listing on your whole site.
quote:
If I (or Kim) were to put an .htaccess file within the dbman directory, would people be able to access the database without having to log in via the .htaccess thing?

Yes unless you are using .htaccess to protect a directory and then it would require them to login. Because you are protecting it with a login procedure.

When using any other scripts it's best to rename your files, as when people don't then it is easy for others to know what file names to type in directly to get the informtion they want. It's amazing how many people leave even files with credit card information available to others who know the file structure of a downloaded script.

The information on webmagic is under CGI Tips and Tricks and there are links to more information about security. .htaccess in this case is not really protecting your directory or files, but rather just making it so that you can not get a file listing. And it's only necessary to put the .htaccess file in your root directory with the following lines:

Options -Indexes

to have it not display any index searches on your server.

The best thing to do when you are worried about security is to check with your host provider and search the web for information.


Unoffical DBMan FAQ
http://webmagic.hypermart.net/dbman/

Hi Lois,

Another day on the road, thus the late response. First, thank you for taking the time to share what you just did in your note.

I logged onto the forum at the host provider of my client and found that this same issue had been raised by others. It seems that the cgi-bin is not treated any differently than any other directory. Thus allowing more flexibility in using the bin. Whereas other hosts provide a cgi-bin that is restricted to .cgi's and secured.

You are right though, there are many sites out there that are wide open for snooping and misuse simply because the appropriate steps have not been taken to assure security.

I did research after your initial post regarding the line I would include within the .htaccess file at root level, so as to avoid having to place the index.html file within each directory. Initially, I tried:

DirectoryIndex alert /alert.html

Well, this effectively cut the site off to everyone...period. This, of course was not my objective so
I went one step further in that I wanted to use the file I already had created, so this is what I came up with:

Options -Indexes
ErrorDocument 403 /alert/alert.html

The -Indexes stops peaking into the folder and the ErrorDocument changes
what error file to use.

It works like a charm!

This has been an invaluable lesson for me. I will NEVER assume cgi-bin protection. I will prepare for it with adding the .htaccess file content above. ;)

Thanks again for your help! ;)

Best Regards,

Kim Lanners




Software Made Easy
http://sme-net.com

Ain't it great to learn stuff like this? I've learned a lot myself.

There still is the problem of folks being able to read the files if they know what the filenames are. Anyone who is familiar with DBMan could just type in the names of the files and access them. My suggestion is that you change all the file names -- including db.cgi.

JPD
http://www.jpdeni.com/dbman/

Hi JPD!

I am amazed at how thick headed I can be!!!! Duh! Thank you for pounding this into my head. You and LoisC have only told me this how many times???? (I am somewhat slow, but not dangerous ;) )

I will work on this immediately.

Thanks a million!

Best Regards,

Kim Lanners



Software Made Easy
http://sme-net.com

Hmmm. 404 errors sometimes mean that you typed in the URL incorrectly. I can duplicate that error by typing something wrong. What URL are you typing? Publish it here and maybe people can try to figure out if that is the problem?