I have installed DBMAN on a webserver running SunOS 5.6. Everything is running fine, but there's a huge security leak as far as I can see. When accessing

<dbdir>/default.cfg

the file is sent back to the client providing information about the database filename etc. Same thing is then true for the database file, it is simply sent back to everybody when requested! I have set the permissions as described in the README file.

664 on the default.cfg
666 on the default.db

I have tried changing the permission for the config file to 660, but then DBMAN cannot locate it any more.
I do not have a cgi-bin (or any other script-alias) directory, so unfortunately I cannot use that as a work-around.

I would welcome any suggestions on how to solve this problem! Thank you in advance!

(For obvious reasons I do not include a link to the database here.)

Happy easter from Germany!

Joerg.

For most folks, the files in the cgi-bin are not directly accessible through the web. (This is the reason that, when someone has a problem, I always ask them to copy the file to a web-accessible directory and to rename the file so it has a .txt extension. Otherwise I can't read it.)

If your directory is not protected, I'm not quite sure what you should do. Possibly your system administrator can give you some ideas.


------------------
JPD

Thanks for your reply.

The problem, however, is that it is not a real cgi-bin directory. The script is located on a virtual server that allows cgi scripts in every directory, provided the permission to execute is set.

I would be more than happy to simply rename the config file and with it the database files, but the problem is that I need to pass the config file name in the URL where it is visible for everbody. Is there a way to get around this? I am only planning to run this script with one database, so wouldn't necessarily have to send the config file name every time, would I?

Kind regards,

Joerg.

The script will automatically send the .cfg file name when you submit a form. I don't know any way around it.

Is there any way that your server admin could set up a directory from which you could run .cgi scripts, but would not allow direct access to the files?

------------------
JPD

I got it! What I did to solve the problem is I renamed my config file to "default.cgi". It is still readable by the script, but will not be sent back to everybody due to its file extension and lacking "execute" permission.
I now also renamed the database and other files, so nobody will get to see them.

Thanks for your help, I really appreciate it!

Joerg.

Cool! That's a very good way to do it.

You probably already know this, but just in case someone else reads this and doesn't know, the big thing you'll need to change is in the db.cgi file


Change that to


and you should be fine.


------------------
JPD