Hello all,
we are Using the gweb server to run our analysis web site, and found a security concern. Our web system needs access to the cgi-bin directory and all its sub directories (20+) in order for the system to operate properly, but we have found this also allows any user to be able to do a directory listing and download any files in these directories. Because our system is not using the gweb server for access control, we cannot just deny all access to all theses directories, as it prevents our system from access them as well. We have found a solution to this, but we are hoping to be able to tune it:
if we use the following commands in the access.cfg file we can prevent the list command but allow the system to work properly:
<Directory cgi-bin/*>
AllowOverride all
<Limit GET>
Order deny,allow
deny from all
allow from 127.0.0.1
Satisfy all
</Limit>
</Directory>
however the issue is this only prevent access to the cgi-bin directory and not the sub directories, so someone could still access say cgi-bin/system/
we can not seem to find any syntax in the above command to apply the limits to all the sub folders, and we really don't want to have to create a section for each sub folder, for all of the obvious reasons, including managing new directories in the future, as it seems an easy way of inadvertently opening up security holes if someone forgets/
Any help in simplifying the configuration so that all sub directories are covered by default would be greatly appreciated, please keep in mind that any solution must allow the localhost 127.0.0.1 address to have full access and prevent any other IP address from access.
As always, thank you in advance for any help!
