I’m creating a new design for a website, and there is an old CGI script, which sends an email to our server.
I can’t post the code here because of privacy issues, but the problem will be clear in a second.
This CGI script takes some templates, and then redirects to a “thanks.htm” page. But while doing this, it is using absolute paths.
Now the question: Is it secure to use absolute paths? I mean, is it possible to read out the CGI scripts to get information about the server architecture?
Thanks in advance,
Greetings Thunderhook
You didn’t mention which platform or webserver, but regardless, A properly configured web server shouldn’t be able to serve readable cgi scripts. I would think that in a secured environment, the cgi-bin directory should live outside of accessible webspace.
IMHO, the problem with using absolute paths isn’t a security issue as much as an extensibility issue. If it were my app, I would set an OS environment variable to the document root, then build the absolute path using that variable. Does that provide some added security? Maybe – as your concerns about file structure recon are somewhat mitigated. But it certainly makes it easier to reconfigure the app, or port it to a new server/location.