Administration > Announcements

SECURITY: album.cfg in cgi-bin

(1/2) > >>

Mike Bobbitt:
Hello all!

I've been alerted to the fact that on some systems, your config file (album.cfg) can be downloaded directly. In these cases, you should move album.cfg out of your cgi-bin directory, so that is no longer accessible under your web root.

Once you have moved the config file, you'll have to edit album.pl, to tell it where you moved it. This is done by changing the "configfile=" line, which appears near the very beginning of the script.

You may also be able to re-configure your web server to disallow access to .cfg files in your cgi-bin directory, though this is not the simplest solution.

To test if your site is vulnerable, go to your album, and replace the "pl" at the end of the URL with "cfg". Some servers will just throw an internal server error, but others will allow the user to download your configuration.

If you have any questions about this, please post them here.

Cheers

michael:
Heh, woops, teach me to watch my permissions. I just took off read access for the public, which is what everyone else can do as well.. CHMOD 640 or 600

fivepin:
I know we aren't supposed to post here, but I wanted to make you aware of this Mike.

I did exactly as you said, and it broke my album.  I tried moving the cfg to a different folder, I tried keeping it in the cgi-bin with the same name ... but the album.pl never worked again.

I fixed it by doing a REPLACE in the album.pl ...  replace all album.cfg with xxxxx.cfg (my new filename).  this worked.  

One question, if I changed the name of the cfg file, that does mean that all the subfolder cfg files will have to change to the same name, right?

Mike Bobbitt:
Changing the "configfile=" line is a bit more complicated than it appears... You can change it in a relative way, I.E. "configfile=../config/album.cfg" or in an absolute way ("configfile=/home/user/album.cfg") but anything other than that is likely to break it.

What did you change the configfile= line to? (When it was broken...)

fivepin:

--- Quote ---

What did you change the configfile= line to? (When it was broken...)
--- End quote ---


I thought I may be having path problems, so I even simply changed the line to read

configfile=install.cfg

and I renamed the album.cfg to install.cfg.  simple as that, and it didn't work.  not until I did a "replace" of album.cfg to install.cfg.  Then it worked just fine.

Navigation

[0] Message Index

[#] Next page

Go to full version