Tech note FS1438
Description
Security for the FlashStats configuration file.
Answer
FlashStats requires that the FlashStats configuration file be located in the same directory (folder) as the FlashStats binary executable file. These file names are as follows:
Platform |
Executable file name |
Configuration file name |
Windows |
FlashStats.exe |
FlashStats.ini |
Macintosh |
FlashStats.acgi |
FlashStats.ini |
UNIX |
FlashStats.cgi |
FlashStats.conf |
The primary concern is to prevent web surfers from being able to see the configuration file. Doing so would expose a security breach because it would allow them to see all of the FlashStats user account definitions, including their passwords.
For most Windows and UNIX systems this should not be a problem because the executable is located in a directory which holds only executables, and the configuration file cannot be viewed. You can try this by requesting the configuration file from your server with a URL such as this (modify as appropriate):
http://www.myserver.com/scripts/FlashStats.ini
You should get an error, usually error 403. If not, please check your server's configuration to ensure that files in the directory can only be executed, not requested. (This is often accomplished by making sure that the files have Execute permission but not Read permission.)
On Macintosh systems there is more of a concern. The preferred solution is to move both the FlashStats executable (FlashStats.acgi) and the FlashStats configuration file (FlashStats.ini) into a separate CGI folder somewhere other than under your normal HTML document root. Then specify that folder as your CGI folder, and configure your server so that it only executes CGI programs if they are located in the CGI folder.
You will have to edit the FlashStats Report Request Form (index.html) so that the <form action=> tag points to the correct URL on your system. You will also have to move any other CGI programs into this folder and change any pages referring to them as well.
If you don't want to move all of your executables into a special CGI folder, then you can use other tricks to prevent the configuration file from being returned successfully. One idea is to map the ".ini" file extension to another type. For instance, you can map it to Maxum NetForms, so if the user requests it they will simply get a message stating "Thanks for your form submission," and NetForms won't do anything with it.
Finally, please note that FlashStats 1.4 and later contains the ability for the FlashStats configuration file to be located in the system Preferences folder (Macintosh systems only). Simply move the FlashStats.ini file into the Preferences folder. Any configuration file in the same folder as FlashStats.acgi will take precendence; if no such file exists then FlashStats will look for its configuration file in the Preferences folder.