Protecting smartadmin.cgi

greenspun.com : LUSENET : S-Mart Shopping Cart : One Thread

Since implementing S-mart, I have gotten 2 emails from others saying they have been able to run the smartadmin script. This means there are probably others. I have to run this out of the cgi-bin, else I could protect it with .htaccess. How are others protecting this admin feature from others??

-- Eric Ruck (webmaster@freshcoffee.com), February 05, 1998

Answers

If you want smartadmin protected, you should use .htaccess. Talk to yout sysadmin about getting a .htaccess protected directory in your cgi-bin.

-- Barry Robison (brobison@rcinet.com), March 07, 1998.

.htaccess works, but make sure you use both ip and username protection. Username works against normal people, but hackers can easily hack this. Usage of ip restrictions will block those you don't want near the script.

-- (username@usa.net), March 25, 1998.

When you are finished modifying your inventory, simply rename the smartadmin.cgi to smartadmin.qqq or some other extension that is not executable. You can also simply change the file permissions to non-executable. When you need to use the script, change it back.

;-)

-- Paul Sheehan (pauls@advp.com), November 08, 1998.


Another way of protecting this script is just to re-name the smartadmin.cgi script to something else like adsfladf.cgi (or some other random word or letter arrangement). That way you can still run it without having to go in, ftp, change the name back and forth and all of that. Just type in your "new" word for the script to work and chances are no one will ever be able to guess the script name.

Just a though!

-BP

-- BP (bppilot@aol.com), November 08, 1998.


Moderation questions? read the FAQ