I've installed DBman on Hypermart, and set permissions properly. www.mydomain.com/cgi-bin/dbman

Problem is, I can view the password file if I enter the file name. I can also view the database.
How do I stop this? Directory Indexing is turned off.

Can it be done via htaccess? Maybe if all other files except db.cgi were is another directory I could make them forbiddon to the web, or password protect the direcotry. and because db.cgi was NOT in that directory it could still be accesses.

Help!

You can create an .htaccess file which would include:

Options -Indexes
DirectoryIndex index.html index.htm index.cgi

and you can also rename your password file so that it doesn't have the same name as your other database files. That would make it harder for others to guess what the filename would be.

You may find other information regarding security in the FAQ noted below.


Unoffical DBMan FAQ
http://webmagic.hypermart.net/dbman/

Isn't there a more secure way?
Like deny access to all file, except db.cgi?

How the Gossamer-threads do it?
I don't want my database file directly viewed either

Nope...not really...if you change file or directory permissions, then the script will not execute.

They predominantly use MySQL for most of their databases and the demos of the flat files are most likely protected with .htaccess for the flat files.

Good luck!


Regards,

Eliot Lee