Announcement

**David** · Aug-27-2011, 12:31 AM

As you have wrapped the script in your own ASP code, then the user won't ever know that the file search.cgi exists on your system.

One simple solution would be to just place it in a folder with a random folder name.
www.site.com/secret_name/search.cgi

Not 100% secure, but maybe enough, depending on what you are trying to protect. Remember that you also need to protect the index files (*.zdat) if you want zero leakage.

Another solution would be to disable the serving of .CGI & .ZDAT files in IIS. Your ASP script should still be able to do a shell execute on the CGI even if IIS doesn't serve that file type.

Might even be able to place the entire /secret_name/ folder outside of the web site folder. I haven't tested this however.

**kenny** · Aug-27-2011, 04:28 AM

I moved the entire folder outside of the wwwroot folder, updated the path to the new cgi in IIS web extensions, and it works great. Now all the ZDAT and cgi files are protected.

Thanks for a great product!

I do have a few more issues to resolve before we can go live.
1. indexing xls file inside a zip file not working
2. zip thumbnail not showing the correct image file

**David** · Aug-27-2011, 10:53 AM

Have you turned on indexing of both .ZIP and .XLS files?
Are other files in ZIP files being indexed?
Did you check the log for errors?
Are you sure that the ZIP file or Excel file are not password protected?

For the Zip thumb. What settings do you have? What image is being displayed if not the right one? In the search results do they point to the Zip file itself or the file inside the Zip file?

**kenny** · Aug-28-2011, 04:22 PM

both .ZIP and .XLS are turned on. no password set in files
I did a test and indexed the ZIP file two ways.

1. by direct link. www.site.com/downloads/file.zip
this method works great, all the contents of the XLS file are indexed.
as expected, the thumbnail returned from this url is the thumbnail set for ZIP files.
the search results returns both .ZIP and .XLS file, tested by searching **

2. by a download script link. www.site.com/downloadscript.asp?file=file.zip
this method only indexes the meta info from the ZIP file.
the thumbnail returned from this url is the thumbnail set for ASP files.
the search results returns only the content from .ZIP file, also tested by searching **

**David** · Aug-28-2011, 09:11 PM

Maybe your downloadscript.asp download script is returning the wrong mime type?

In other words maybe your server flags the file type as text or HTML rather than a Zip file. It is easy enough to check, what is the full URL to the downloadscript.asp script?

**kenny** · Aug-28-2011, 11:26 PM

i'll send you a PM for the link.
as far as i know the correct MIME type is set.
ZIP
"application/x-zip-compressed"

XLS
"application/vnd.ms-excel"

**Ray** · Aug-31-2011, 07:05 AM

We have confirmed that this is a problem in the current V6 release. The problem occurs when there are more than 2 levels of filetypes in one URL, so here, we have an ASP page that actually serves a ZIP file, inside of which, is a XLS file.

This is something we have addressed in the next major release (V7). An early Alpha of which should be available in a couple of weeks. So you might want to contact us again then.

Announcement

how to protect the search.cgi in IIS?

how to protect the search.cgi in IIS?

Comment

Comment

Comment

Comment

Comment

Comment

Comment