I'm creating a new design for a website, and there is an old CGI script, which sends an email to our server.
I can't post the code here because of privacy issues, but the problem will be clear in a second.
This CGI script takes some templates, and then redirects to a "thanks.htm" page. But while doing this, it is using absolute paths.
Now the question: Is it secure to use absolute paths? I mean, is it possible to read out the CGI scripts to get information about the server architecture?
Thanks in advance,
Greetings Thunderhook
You didn't mention which platform or webserver, but regardless, A properly configured web server shouldn't be able to serve readable cgi scripts. I would think that in a secured environment, the cgi-bin directory should live outside of accessible webspace.
IMHO, the problem with using absolute paths isn't a security issue as much as an extensibility issue. If it were my app, I would set an OS environment variable to the document root, then build the absolute path using that variable. Does that provide some added security? Maybe - as your concerns about file structure recon are somewhat mitigated. But it certainly makes it easier to reconfigure the app, or port it to a new server/location.
Related
I have question about how to set Node.js server application. On my server I have ColdFusion application server. I can test my code through browser url. I would like the same for Node.js. Node is already installed on my server but the only way to run the code is through cmd command window. First question is what I need in order for both to run on the same server? I still need my ColdFusion. Second question is about Nodes.js and can I set up server application with ISS or I need something else? Also do I have to specify what extension on my files will point to ColdFusion and other to Node. For example .cfm extension is for ColdFusion and .js is for the Node. If anyone knows anything about this or where I can find more information please let me know. I never experienced something similar and this is something completely new for me.
I know this is an old post but I figure I'd provide an answer for those souls who are looking around.
If working with Apache 2.4.x.
In a test environment this would not be to much of an issue as Node and Coldfusion operate on different ports.
If your looking to create a production site than I would say that building a virtual host with proxy to the node site and Coldfusion would be another method.
If you are using the Coldfusion connector to Apache and loading node, than still loading the proxy for the node part would be fine, just make sure you are pointing to the correct port for your node.
Things to remember:
You may have to alter internal Firewall rules.
Comment your hosts files so you don't accidentally alter the wrong file.
Both can exist within the same platform.
I am entirely new to backend development so this might be a ridiculously easy and straightforward question, but I'm really not sure. I am trying to learn node.js for backend development, and all of the tutorials I have seen so far show how node can be used to run JavaScript from the terminal and create a server on local host. While this is a neat thing to do, I am stuck there and having difficulty understanding where to put my node.js code on cPanel and how to use it effectively along with the rest of my html/css/js code; all the examples I have seen are very isolated and don't have much interaction with these other files.
Again, I don't have any backend experience, so it would not be very helpful to explain this concept relative to another server-side language like Python, Ruby, or PHP, as I really have no idea where I would put any of the code for any of that stuff either or how it fits into the bigger picture. If the answer could maybe touch on how to integrate Python or PHP as well and general patterns for backend development---the easy stuff everyone assumes but no one explains---it would be much appreciated.
It doesn't matter where you put it. However you probably want to keep it in the folder of the username which is using it. I created a folder called app/ in my users folder and put all my crap in there. Then you simply set it up to listen on a port approved by your host.
You can use a .htaccess file in your public_html folder to redirect to the correct port number.
Your node.js will handle routing. So to go to certain css/html files you will have to set that up in your node.js code.
I have successfully tested the vline-node example locally, but would like to push it out to a server. I have tried to install the example as an application on an IIS8 website, placing the example code under wwwroot. I have done tried this both within the root and inside a virtual directory, pointing to the views folder. I am able to login to the application from a browser on the server, although, since javascript is turned off on the server browsers for security, so functionality is missing.
However, when I try to access the site from a remote browser I am not able to login. Actually, I can see that there is something wrong with my paths, as the include files are not found.
The more I've thought about this the more confused I've become. I'd like to run this under IIS, but wonder if that makes sense. Can someone offer a clean solution for hosting the vline-node example on a Windows Server, ideally under IIS?
Since you are using the node example, you'll need to make sure that node is actually running on your IIS server. Here's a SO response that may be helpful: How to run Node.JS server for a web application?
Note that in our node example the "main" file is vline-node.js, so use that in place of the app.js that is mentioned.
I am coming from Microsoft world so please bear with me on this. I was told I could install node.js and use that as a web server instead of IIS. This is a very small business application. In IIS I can create virtual directory and point to the location of the web page and everything works just fine. Based on very little I read, I have few questions;
Is it possible to run node js as a windows service or any other form so that it runs for ever? I did find the forever package that I think I can use.
In IIS, I can create virtual directory set the port and thats it, I have myself a website.
I do not see any examples where I can use a directory where I have a web page, written in java script and point it to run as a web site. All the examples have some thing like server.js and that runs and routes the call. what is the other way to host web sites and use node.js to simple run as a fast web server.
I was told I could install node.js and use that as a web server instead of IIS.
This is true, but as you already found out then you are in charge of providing for things that IIS was already doing for you (e.g. automatically restart on reboot, or on crashes, hosting multiple sites by creating virtual folders, et cetera.)
You can indeed get all of these things worked out in Node.js and there are several libraries that help on each of these areas. It's not too hard but you'll need to do a bit of researching.
You can also run Node.js behind IIS. Take a look at iisnode http://tomasz.janczuk.org/2011/08/hosting-nodejs-applications-in-iis-on.html
Is it possible to run node js as a windows service or any other form so
that it runs for ever?
The library Forever takes care of restarting the site when it crashes...but I don't know if you can run it as a Windows Service. I haven't tried that.
In IIS, I can create virtual directory set the port and thats it,
I have myself a website.
I assume you are talking about a site that serves static HTML files, right? If that's the case that's very easy to support in Node.js either writing your own web server or using Express.js to serve static files.
I do not see any examples where I can use a directory where I have a web page,
written in java script and point it to run as a web site. All the examples
have some thing like server.js and that runs and routes the call.
Here is an extremely simple example to serve plain HTML files in Node.js https://gist.github.com/2573391 Don't use this in production, though. It's just an example and it does not have any kind of error handling or security.
what is the other way to host web sites and use node.js to simple run
as a fast web server.
As others have said, you should look into Express.js http://expressjs.com/ It provides some of the infrastructure that you are very likely going to need when building traditional web sites.
You say you're running a "very small business application" behind IIS. Unless it's written for Node.js (in JavaScript), it won't work.
There are no examples pointing to a directory and running that as a website, because that's not how things are done in Node.js. You write a Node.js-application and pull in a webserver-library.
Put simply, In Node.js, you don't embed the appliation in the webserver; you embed the webserver in the application.
When I used node.js, I redirected HTTP requests by a proxy server, nginx. I don’t know if you can directly bind node.js as an HTTP server, but for what’s it worth, nginx is pretty nice!
First things first, allow me to share an introduction. IMHO you should take this decision ( of moving from IIS to nodeJS) by adding various parameters. I belong to the Java & PHP community yet I use NodeJS to achieve extremely specific implementation where NodeJS perform the fastest ( fast IO, AJAX-JSON responses & more ). As you are coming with a Microsoft background you should bare with less comfortable solutions.
Yes, its possible to run NodeJs as a windows service and Forever will do fine.
and yes you can create "Virtual Directories" but by creating symbolic links to each of your customer's web site.
I recommend to take a good look at bouncy & express, If you're willing to take this step then these packages is just what you need.
Cheers!
I want to know what is .do extension in web pages. Is it a standard extension, or, if it's not, can we change the extension (like client-login.php to client-login.do and still run as PHP)?
Thanks.
.do comes from the Struts framework. See this question:
Why do Java webapps use .do extension? Where did it come from?
Also you can change what your urls look like using mod_rewrite (on Apache).
".do" is the "standard" extension mapped to for Struts Java platform. See http://struts.apache.org/ .
It is whatever it is configured to be on that particular web server. A web server could be configured to run .pl files with the php module and .aspx files with perl, although that would be silly. There are no scripts involved with most web servers, instead you'd have to look in your apache configuration files (or equivalent, if using different server software). If you have permission to edit the server config file, then you could make files ending in .do run as php, if that's what you're after.
Using apache's rewrite_module can change your script extensions. Give this thread a good read.