_____________ ____ ____ ____ ____ ____ ____ ____ ____ ______________
|| |||a |||s |||c |||i |||i |||w |||e |||b ||| ||
||____________|||__|||__|||__|||__|||__|||__|||__|||__|||_____________||
|/____________\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_____________\|
::::::::::::::::::::::::::::::Times-Tribune:::::::::::::::::::::::::::::
.------------------------------------------------------------------------.
| ASCIIweb Times-Tribune Vol. I Issue I. |
'------------------------------------------------------------------------'
.------------. . |. . .|_____
| Welcome to | ,-. ,-. ,-. . . ,-. . |- . . '-contents--'
| ASCIIweb! | `-. |-' | | | | | | | | intro |
'------------' `-' `-' `-' `-^ ' ' `' `-| installing |
.------------. --------------------------/|- configuring|
| intro | `-' conf files |
'------------' editing |
.------------. Allowing a user access to your system over a security |
| manual | network is a security risk. This includes tricks |
'------------' email, web, and other network services. staticmode |
.------------. RFKML |
| license | Any time a remote user's actions cause credits |
'------------' applications to run on your system, you are COPYING |
.------------. in danger of having your system comprimised .-----------|
| directory | through a flaw in the designs of any one of | .-----'
'------------' the pieces that make that application run. |. . .|
.------------. | . . |
| changelog | One very common entry point for malicious |. . .|
'------------' users is the dynamic cgi script, and in | . . |
.------------. particular, the execution of arbitrary code |. . .|
| bugs | by a dynamic cgi script. | . . |
'------------' |. . .|
.------------. We understand this possibility, and have | . . |
| wishlist | attempted to harden ASCIIweb against such |. . .|
'------------' an attack. However, no software is bullet- | . . |
.------------. proof. Therefore it is your responsibility |. . .|
| website | as a system administrator or user to | . . |
'------------' consider the risks involved and make sure |. . .|
.------------. that your actions are prudent and | . . |
| beta v0.90 | acceptable. |. . .|
'------------' | . . |
\...... . | STATIC MODE |. . .|
|. .| ---------- | . . |
| . | |. . .|
|. .| You can avoid all the security hassles of | . . |
| . | dynamic cgi scripts by not running it as a |. . .|
|. .| cgi! Instead, use static mode to render the | . . |
| . | pages from your source files, removing the |. . .|
|. .| ability of an attacker to run any programs | . . |
| . | not already allowed by your webserver. This |. . .|
|. .| method takes out all the potential cgi | . . |
| . | attacks. It also removes any additional |. . .|
|. .| load your server might experience because | . . |
| . | of ASCIIweb. |. . .|
|. .| | . . |
| . | Unfortunately, static page generation also |. . .|
|. .| eliminates many of ASCIIweb's cooler features. | . . |
| . | |. . .|
|. .| OTHER FEATURES | . . |
| . | -------------- |. . .|
|. .| | . . |
| . | ASCIIweb has several features designed to |. . .|
|. .| help run aw as a cgi while still maintaining | . . |
| . | the level of security you are comfortable with. |. . .|
|. .| | . . |
| . | docdir is the directory under which all documents |. . .|
|. .| must live if ASCIIweb is to display them, and | . . |
| . | is roughly equivalent to Apache's |. . .|
|. .| DocumentRoot option. This keeps users from | . . |
| . | successfully reading files which should not be |. . .|
|. .| visible to web users (like /etc/passwd). | . . |
| . | |. . .|
|. .| Example: | . . |
| . | docdir=/var/www/tastytronic.net/asciiweb/test/ |. . .|
|. .| | . . |
| . | ASCIIweb checks the absolute path of any |. . .|
|. .| requested files using Perl's CWD::abs_path | . . |
| . | function and verifies that it lies within |. . .|
|. .| docdir, thus stopping the traditional | . . |
| . | /../../../etc/passwd attack. |. . .|
|. .| | . . |
| . | SCRIPTS |. . .|
|. .| ------- | . . |
| . | |. . .|
|. .| scriptdir is like docdir for scripts. Scriptdir | . . |
| . | is the document directory for secondary |. . .|
|. .| scripts. This encourages your administrator to | . . |
| . | specify by hand the scripts or binaries |. . .|
|. .| allowed to be run by ASCIIweb. Any executables | . . |
| . | not in or symlinked to scriptdir will not |. . .|
|. .| run. Your scriptdir must be within your docdir. | . . |
| . | |. . .|
|. .| allowexecute is the conf directive that specifies | . . |
| . | whether included scripts may be run. ASCIIweb is |. . .|
|. .| able to incorporate the output of secondary | . . |
| . | scripts into it's normal output. This can be |. . .|
|. .| useful for displaying up-to-the minute stats | . . |
| . | such as system load, or system time. However, |. . .|
|. .| it is an additional security risk. You may | . . |
| . | prefer to disable it. |. . .|
|. .| | . . |
| . | Example: |. . .|
|. .| allowexecute=1 | . . |
| . | or |. . .|
|. .| allowexecute=0 | . . |
| . | |. . .|
|. .| executepage is related to allowexecute. If users | . . |
| . | are allowed to include script output, are they |. . .|
|. .| allowed to use secondary scripts which provide | . . |
| . | the complete output for a page? This is a |. . .|
|. .| greater security risk as it potentially allows | . . |
| . | a remote user to see filenames and paths of |. . .|
|. .| secondary scripts. | . . |
| . | |. . .|
|. .| Back: Editing Next: Tricks | . . |
| . | <-- --> |. . .|
.------------------------------------------------------------------------.
| The ASCIIweb Times-Tribune is a Tastytronic Industries newspaper. |
'------------------------------------------------------------------------'
Generated at: Thu Sep 11 15:16:02 CDT 2025