[LUNI] Which cgi-bin in Ubuntu?

[Martin Maney]

On Wed, Oct 13, 2010 at 08:34:57PM -0700, Ramin K wrote:
> On 10/13/2010 8:16 PM, Clyde Forrester wrote:
> > I am about to attempt primitive web experiments with Perl, and I've hit
> > a snag. I'm using Ubuntu Linux 9.10 and Apache2. The general area for
> > the server is in /var/www/, but the cgi-bin directory is in /usr/lib/.

> 1. Don't mess with the system config files like httpd.conf. Instead 
> create your own config in /etc/apache/sites-available/my.site.com.conf 
> and then enable it. Makes updates simpler and it's easier to track your 
> changes.

+1, excellent advice

> 2. Don't worry about using the cgi directory. You'll likely want to keep 
> all your application files together. Like this.
> 
> <Directory /var/www/my.site.com/cgi>
>      AddHandler cgi-script .pl
>      Options ExecCGI Indexes FollowSymLinks MultiViews
>      AllowOverride None
>      Order deny,allow
>      Deny from all
> </Directory>

-1, terrible idea

The principle of separating the cgi directory from the server's
document tree is rooted in basic security practices 101: never put
something that you might not want others to be able to see in the open. 
Allowing Indexes in that directory is just piling it on.

That said, I've done this sort of thing for a "safe"
inside-the-firewall server, for ease of playing around.  But exposing
the cgi directory to the internet, that's just dumb.  Consider the
number of easily exploitable CGI scripts have been in wide use over the
years and you'll understand that getting that directory listing can be
nearly as valuable to an attacker as being able to read the actual
script.  :-(

-- 
If the best we can do is make technology as dangerous, non-robust,
capricious, arcane, alienating, marginal, and costly as "magic",
then we have really crappy technology.  -- goliard