Hi!

I most have made something wrong down the line. All my DB Man files lies within my cgi-bin and the permissions are set as suggested.

Now, I just discovered that I can step right into the .pass file from any browser by pointing the full URL....

Obviously, the files underneath my cgi-bin shouldnt be this easily accessible and I know that the point is to make only the .cgi callable from outside?

Please help!....

Thanks! :)

I bet you can't login using someone elses password though

(Hint: Encryption)

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

No (but all email addresses are listed nicely....), I really dont want any files to be accessable from outside and I know this can by done (UNIX server) - and I feel kinda stupid not knowing how.

Create a .htaccess file and put it in the same directory as default.pass

<Files default.pass>
Order Deny, Allow
Deny From All
</Files>

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

Thanks!

Is this to be created as a "text", "shell cript", or other file type? What permissions should I set this to? Is that code all that should be contained?

Appreciate it!

The file should be called .htaccess not .htaccess.txt or anything else...JUST .htaccess - just upload it and it should disappear from view.

Yes only use that code.

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

Thanks

Prob is that this blocked everything... i e cant run the .cgi - DB Man app

Don't know why - the code is only blocking default.pass

Try changing <Files default.pass> to

<FilesMatch ".pass$">

Mods:http://wiredon.net/gt/download.shtml
Installs:http://wiredon.net/gt/

One thing you could do is to put your .pass file into another directory.

To do so in your .cfg file you would use the full PATH not url to where the .pass file is located. An example would be:

$auth_pw_file = '/data1/virtualave.net/username/public_html/cgi-bin/allsite.pass';

I do this for all my .pass files.

And also to name is something others would not think of. Using default.pass is not a good idea.

Hope this helps :)

Unoffical DBMan FAQ
http://webmagic.hypermart.net/dbman/

Thanks. Yes those are really good suggestions, but they "only" increase security by "try hide files from users" level... ? :)

Is this even possible (under UNIX)?:

To set permissions so that your cgi's can only be executed by y-o-u-r cgi's located on y-o-u-r server? For instace, I call other cgi scripts from within my DB Man, I would love it to be set so that if someone sets up the same parameters in a form (hosted somewhere else) cant trigger the same actions as I can from within DB Man.... hmmmmm

Yes...and there is a Mod for doing this at:

http://www.jpdeni.com/dbman/

and also this issue is referenced at the Unofficial DBMAN FAQ, which is linked in the Resources section of this site.

Also, I posted codes for using HTTP_REFERER that will lock access to your CGI scripts from your domain, not allowing others to copy query strings or form codes in your site. If they do, then they won't be able to execute the script.

Also, LINKS 2.0 has db_referer codes that will only allow scripts to run through your domain.

And it is NOT an OS issue...you can install Perl codes in any CGI script on ANY type of server/platform that will prohibit other users from executing your scripts other than in your domain/web address.

Regards,

Eliot Lee
http://anthrotech.com/