Topic: SECURITY: album.cfg in cgi-bin

[Mike Bobbitt]

Hello all!

I've been alerted to the fact that on some systems, your config file (album.cfg) can be downloaded directly. In these cases, you should move album.cfg out of your cgi-bin directory, so that is no longer accessible under your web root.

Once you have moved the config file, you'll have to edit album.pl, to tell it where you moved it. This is done by changing the "configfile=" line, which appears near the very beginning of the script.

You may also be able to re-configure your web server to disallow access to .cfg files in your cgi-bin directory, though this is not the simplest solution.

To test if your site is vulnerable, go to your album, and replace the "pl" at the end of the URL with "cfg". Some servers will just throw an internal server error, but others will allow the user to download your configuration.

If you have any questions about this, please post them here.

Cheers

[michael]

Heh, woops, teach me to watch my permissions. I just took off read access for the public, which is what everyone else can do as well.. CHMOD 640 or 600

[fivepin]

I know we aren't supposed to post here, but I wanted to make you aware of this Mike.

I did exactly as you said, and it broke my album.  I tried moving the cfg to a different folder, I tried keeping it in the cgi-bin with the same name ... but the album.pl never worked again.

I fixed it by doing a REPLACE in the album.pl ...  replace all album.cfg with xxxxx.cfg (my new filename).  this worked.  

One question, if I changed the name of the cfg file, that does mean that all the subfolder cfg files will have to change to the same name, right?

[Mike Bobbitt]

Changing the "configfile=" line is a bit more complicated than it appears... You can change it in a relative way, I.E. "configfile=../config/album.cfg" or in an absolute way ("configfile=/home/user/album.cfg") but anything other than that is likely to break it.

What did you change the configfile= line to? (When it was broken...)

[fivepin]

What did you change the configfile= line to? (When it was broken...)

I thought I may be having path problems, so I even simply changed the line to read

configfile=install.cfg

and I renamed the album.cfg to install.cfg.  simple as that, and it didn't work.  not until I did a "replace" of album.cfg to install.cfg.  Then it worked just fine.

[Mike Bobbitt]

Yeah, the code is a bit tricky there. It tries to open "configfile" as you've defined it, which by default is just "album.cfg" with no directory.

That pretty much always fails, so (among other things) it tries to append the current directory's path to a hard-coded album.cfg, and that usually works. But since it was hard coded, it would fail if you changed the name.

So (to try to be brief) I've added a new attempt in the code which should make it work for you. If you want to re-download and copy over your album.pl, it should work.

Cheers

[p5mmx10g]

on album.pl, change $::configfile="album.cfg";
to $::configfile="alongassfilenamewith123.cfg";

and set your cgi-bin folder can't list directory.

i guess in that way, there is noway for other people to guess your config file name. so they can't open it and try to hack your password path.

[Mike Bobbitt]

Yep, that's another good method for securing your settings... Thanks!