How To Secure a Folder?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I discovered a serious security hole on my site. I found that anyone with
a browser (at least IE8 and Opera 10) can view or download proprietary
files in the cgi-bin folder.

How do I lock out everyone, except my domain?
Ed Jay (remove 'M' to respond by email)

Re: How To Secure a Folder?

Ed Jay wrote:
Quoted text here. Click to load it

Don't put them in a directory accessible via the web and make them only
available to authorized users via a script.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: How To Secure a Folder?

Quoted text here. Click to load it

Set the permissions on your web server. "Download" (often just "Read")
for content directories, "Execute" for scripts, never both at the same
time.  You'll likely need to separate content and scripts, and
certainly any writable files, by directory to make it simple enough to

Exactly how you do this depends on web server and OS. Web searching
should turn up tutorial guides for the usual suspects.

I _wouldn't_ change the use of these permissions on the basis of who's
connecting. If you're giving yourself "edit access" to them, then use
a channel other than HTTP to work on them altogether (look into SSH).
If you're building extranets, then you need a more sophisticated
approach altogether. I'd talk about Java-related ways of doing this,
but if you're just using cgi-bin as a directory, then I guess this
isn't a particularly big app and it's just a few form-mail scripts

Re: How To Secure a Folder?

Ed Jay wrote:

Quoted text here. Click to load it

Sounds like your cgi-bin directory isn't a real script aliased
directory.  If it was, only files set to execute and produce actual
content type headers/output would work (and only display what you tell
them to).  Files in the script aliased cgi-bin directory should
otherwise produce an internal server error.  As your host to set the
directory as a real script aliased directory.  If they won't, then any
files you don't want to be publicly accessible (downloaded directly)
should be stored outside of your web root (or you can perhaps deny
direct access via rules in an .htaccess file or something such as that
either per directory or file name, where the scripts can still
include/use or display them, but any direct web access doesn't work
(and you can possibly accomplish that same thing safer by using
permissions, if your host has the web server set up that way)).

Site Timeline