[Solved] how to restrict running cgi script to autenticated users only?
Added by JumpZero about 7 years ago
Hello,
I have a lighttpd (1.4.45) web server running for five years now on a Raspberry Pi running latest Raspbian Strecth.
And I'm happy with that
I have two areas on this web server one is public the other one is private.
The private is accessible thru auth module after entering login and password
It works fine
I also have a few cgi-scripts. These scripts are called by pressing buttons on html pages located in the private area only.
Since these scripts do private stuff they must remain private.
However I noticed that if one knows the name of a script, one can run it, without being autenticated, just by entering the url/cgi-bin/scriptname in browser address bar.
Of course you have to know the script name, and even if it's not easy to find, I don't feel safe with that.
I have tried to move the cgi-bin directory in the private directory but still anybody can run the script.
I haven't found any option in the cgi module doc.
Any suggestion or idea will be welcome.
Thanks
--
Jmp0
Replies (2)
RE: [Solved] how to restrict running cgi script to autenticated users only? - Added by gstrauss about 7 years ago
Protect the /cgi-bin/ url-path with the same authentication requirements as the private area, or even better, move them under the private area.
RE: [Solved] how to restrict running cgi script to autenticated users only? - Added by JumpZero about 7 years ago
Thanks,
it works. It was so simple, I feel stupid!
Lighttpd is great ;-)
--
Jmp0