Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: mack
People can execute my index.html. From the 'view source' of the index.html in any browser, anyone can see my file names linked in the index.html. Subsequently, s/he will find out all the .pl filenames running behind the htmls.
Since the .pl files and data files are all in my domain directory and its sub-directories. Can people type directly the URL with the filenames? And see my .pl file and data file contents.
I read through my server instruction, there are allow/deny or deny/allow for specific clients. I do not think this can do much to protect my data files and .pl files.
But your concern is slightly misdirected. You should not so much be concerned about them getting to these files and directories, but more what they can do once they get there.
And see my .pl file and data file contents.
This file should execute once it is requested. That is, they should not be able to see the .pl file contents as if it's being edited, it should run and output whatever it outputs. (more to this story below.)
As for your directories, DEFINITELY insure that directory browsing is not allowed. To test this, browse to any directory on your site:
You should see the message "Directory Browsing Denied" (or not allowed.) If you see all your files, this is not good - you have two solutions:
1. Get your web host to configure the domain so directory browsing is not allowed.
2. Place an index.html file in EVERY directory. With the proper domain set up, for the above URL, they will see your file, not the directory contents.
For your .pl files, as I said, it's not that someone can get to the files - it's what they do when they get there that you need to be concerned about. Securing perl scripts is a long topic, but one I will sum up with Selena Sol's comment from 1995 or so:
Every user input is a potential hack.
So the first point of concern for any script is to cleanse any input and disallow anything but EXACTLY what it should receive. Many think, "well, it's not on the form, so they can't send it anything else." But don't forget, I can send ANYTHING to a script via command line or web request:
This is especially true of mailer scripts, the largest target of hackers/spammers. If your "data" is via any type of online database, securing your scripts - from within, in the programming - is even more important.
Second, if these .pl files are not MEANT to be accessed from the web, as in an included perl library, you can follow the advice here [webmasterworld.com].
Some relevant searches: "script security", "sql injection", "email injection."