[Gllug] More insecure practices at my ISP
Garry Heaton
garry at heaton6.freeserve.co.uk
Sat Apr 5 01:29:37 UTC 2003
With a PlusNet ADSL account each user has a document root at:
http://www.<username>.plus.com/
... and a CGI directory at:
http://cgi.<username>.plus.com/cgi-bin/
Since no ScriptAlias directive seems to have been configured in the
httpd.conf HTML files access scripts via the absolute URL above. Whilst the
cgi-bin directory has been protected, its parent directory has not so is
publicly browsable by default.
I inserted a "Forbidden" index.html file in each directory to be on the safe
side but if security on home directories is anything to go by there are
probably 1780 PlusNet users out there with publicly browsable home directories.
Garry
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list