Topic: Settings up i-bays for Web-Applications

[Brandon Friedman]

I thought I would enquire as to how everyone is settings up there i-bays, web-apps etc. I downloaded TWIG 2.6.2 and created an i-bay:

Information bay name: twig

Brief description:  TWIG

Group:  Administrator

User access via file sharing or user ftp:  Write = Admin, Read = Group (*)  

Public access via web or anonymous ftp:  Local network (password required)

Execution of CGI scripts in cgi-bin directory:  disabled  

I unzipped my tarball into the html directory, I then setup the twig database and tables. I also setup a twig user and granted rights to the database.

All works perfectly - when I access my web url http://mydomain/twig/ I get prompt for a password!

All seems ok - I cannot access the twig i-bay from my network neighbourhood which is what I want.

The only security issue that concerns me is when I try explore my sub-directories from my url http://mydomain/twig/config/ I can see all the files - isnt this a security risk? How can I prevent users from accessing the subdirectories and still keep the application running? When I click on the file it shows nothing... no text - does this mean that the file is security?

The reason I ask is because the one file contains the user name and password to the database!
Regards
BF

[Tim Litwiller]

one way which won't keep users/hackers from getting to a file that they know where is but will keep the casual browser from browsing the directories is to do

touch index.html in the directory that you don't want then to be able to see the contents of. Then they will get a document contains no data when the try to browse the directory.

The way to really protect the app, is to put the directories that you don't want them getting to outside of the browseable area. ie: the files directory of the ibay. It takes more configuration to do this but most web apps have provisions for this security model.  

Some that you find don't support it at all so then you may need to setup a .htaccess (I actually think it has a different name in e-smith but I forgot it now) to deny access to certain directories or files.

[Brandon Friedman]

>one way which won't keep users/hackers from getting to a file that they know >where is but will keep the casual browser from browsing the directories is to do

Just to clarify Tim... I have set a password on the i-bay so if I make this bay public , it should be protected from the outrside world? I shouldn't vunerable to outside attacks????

As for people that are able to browse my i-bay (web-only), they do have access to my config directory but when you click on any of the config files, it shows up blank...! Is this ok??

Regards

BF

[Tim Litwiller]

The password on the ibay will protect quite well, Then only people you have given the password to will be able to attempt to
hack inside that.

Not to say that the web app it's self may have security problems, but that is a risk we have to monitor and take if we want to run apps on the web.

I would still put an empty index.html file in the config directory.

it's of no use to advertise what the file names are that might contain sensative info, even if they are protected so you can't view them, if they can't see them to start with, they are less likely to attempt to access them.