Hi there.

I have tried this on IIS5 running on my local machine, and it does seem to work for me. The configuration is without using a virtual cgi-bin.

I have attached a copy of the network settings for you to have a look at.

Please note however that the permissions of the acatalog cgi and root folders will need to be set as detailed on page 95 onwards of the latest Advanced User Guide available fromHere

With Windows servers, it is normally only the host who can change permissions

Please note I did not setup with the virtual cgi-bin

I hope this helps.

Sorry, forgot the attachment

Thanks Darren,

I've hosted the client elsewhere in the short run so I've over the "sort this out at any cost" period for now.

Interestingly I uploaded a test site to the clients hosts (the twitchy-about-permissions guys), letting Actinic create the acatalog folder and using the pre-installed cgi-bin which was already set up for r/w/e.

I was expecting to just confirm that it didn't work but I'm baffled to report that it all went swimmingly!?

Of course I'm suspicious and I'll put a test site through more checks than I've done so far (a couple of searches and cc based purchase) but I may have to accept that it's one of those "it shouldn't but it does" scenarios.

Can anybody think of anything I should be testing for other than the ability to upload, use and download from the site?

Of course I'd be happy if it just works but I need to satisfy my cynical side...

I'll check out your settings and see how they compare.

TIA

Matt

Hello again.


I am suprised too!

It may be worth trying to see if referrer.pl works at this sometimes throws up problems. See page 62 of the latest Advanced User Guide for how to do this.

Post your URL here, and I am sure a few members of the community would not mind making some test purchases.

Hmm. Strange isn't it.

I've actually already removed the site (clean as you go!) but I'll stick one up again and let you all loose on it - probably not for the next couple of days tho' realistically.

I'm aware that referrer.pl is the most likely script to barf and I'll be sure to test that specifically. However, if the site doesn't make use of it, and everything else APPEARS to work should I swallow my surprise and accept that it does ACTUALLY work?

I'm a practical guy at heart so if it all functions as it should I'll tend to go with my eyes. What I don't want to do is store a whole heap of trouble up for further down the line.

I'll post the url once I've uploaded a test site again and I'll check out the docs for referrer.pl

I 'spose what I'm concerned about is whether I'm somewhow exploiting a security issue. If I can get the site to work with apparently incorrect permissions does that mean that others may be able to take it one stage further and hack or break the site. (I appreciate that we may not want a public discussion on how to go about compromising Actinic sites but I appreciate sleeping with a clear conscience on my clients' behalf)

Any thoughts?

Matt

Hi there.

To be honest, it may be worth you looking at this This page contains the list of our recommended hosting partners who are experienced in running Actinic sites.

Please note that at this time, Eclipse Internet are experiencing difficulties hosting version 6 sites.

I am double checking on the security implications for running within the cgi-bin for you.

Hi Matt.

There is a greater risk of running the site from within the cgi-bin. This is because the cgi-bin is normally the only folder which has executable programs associated with it.

Having said that however, a hacker would normally require FTP access to do anything in the first place, but it is worth pointing out that badly configured servers may allow programs such as word to upload files, ie damaging executables.

Thanks Darren,

We've been hosting Actinic sites successfully for a few years now - and tweak the folder permissions to suit. Ideally of course the client would host with us but I don't want to make that a condition of our ever undertaking Catalog makeovers etc.

So I'm only dealing with an exceptional event here. I'm getting closer to trying the whole thing out again to discover WHY it works at all - I'll post the results here.

I was thinking that maybe somebody had an experience of a site working with apparantly wrong permissions - and then discovering what a bad idea the whole thing was. Or maybe hearing "Yep, we had the same thing but the site's been up with no problems for xxYears and turns over xMillion per month - don't worry about it."

Given that the site actually worked without putting it all in the cgi-bin the thread title's misleading.

I'm hoping to test all permissions scenarios here on a Win2003 IIS server and again on the site in question. I'll post my findings here, but as there doesn't actually appear to be a problem any more, please no breath holding.

Thanks for your input,

Matt