is allowing full access to cgi-bin a big security issue?

[ntsa]

I would really recommend win 2k IIS5 for web servies if you are Windows based. Especially for production servers. Win 9x/ME are really nothing more /home/ operating systems.

The other benefit of the NT kernel (which 2k uses - it's really NT5), other that /far/ greater stability, is that you can assign proper permissions because of the NTFS filing system. This gives you a lot more control over what you can allow uses do and not do.

That said, if you are running a web server on ME the chances are that it isn't a production server. So in your web server admin software (I've never heard of sambar - sorry) you should have a restricted IP list. Set this so that only 127.0.0.1 has access to you web server.

127.0.0.1 is the built in loopback address for all network interface cards. This will stop anyone from using your webserver other that from the local machine. Now you can test all you want without any security concerns.

Never give the Inetuser account write and execute permissions on the same directory.

Hoped that helped a bit

[yanksfan]

how much would winnt/2k cost? and, is it command-line?

ntsa, if I understand you correctly, you're saying not to give them full cgi access? well i guess if they really wanted to use cgi, they could use their isp's webspace or a remotely hosted one.

i think instead of trying to secure my box, i'll just forget the idea of givin them full cgi access.

[slarty]

You could give them PHP access, and use PHP's secure mode which can limit what they can do, but still let them execute some kinds of scripts.

It's not perfect but better than nothing.

Of course if you were running under *NIX, I'd suggest CHROOT'ing the whole thing, but esp under WinME, you can't do anything like that. Like ntsa says, on Windows you'd be much better off with Win2k