Hi!

I am curious if (and why) there is a security risk in having ones cgi directory as a subdirectory of the www directory.

Example:

[nbsp][nbsp][nbsp][nbsp]/home/<username>/virtual_html/cgi-local/

as opposed to:

[nbsp][nbsp][nbsp][nbsp]/home/<username>/cgi-local/

(A friend is looking into a host that is set up like that) (and FQ :))

Harley

On our servers, the cgi-bin is kept outside of the web root. You cannot serve images or HTML files from the cgi-bin, and this also keeps users from being able to view data files or view your scripts that are in the cgi-bin. A lot of scripts keep data files, and if it is a commonly known script, a hacker could easily type in the URL to that data file:

http://www.domain.com/cgi-bin/banners.txt

On our servers, anything in the cgi-bin is taken to be executable, and calling a text file like that will simply return a server error - making it nearly impossible to view your data files and such :)

Another advantage to this is that you are not restricted as to what file extentions can be executed - if it's in the cgi-bin it is considered executable.

Hope this helps.

------------------
Justin Nelson
FutureQuest Support