It seems bugzilla installs all cgi scripts to /var/www/html/bugzilla.
I find this rather non-optimal. Shouldn't these go somewhere _outside_
DocumentRoot, and then be ScriptAliased in httpd.conf?
One example might be /var/www/bugzilla.
Also, it seems the html example files in contrib weren't included. I'd
installing them somewhere, perhaps %doc or elsewhere. They're good for
and testing, at least, and now you have to dive for the source right away.
isn't this a security thing? I'm not really into web stuff, but I read every
now and then that CGIs should always be outside DocumentRoot and ScriptAliased,
as you outlined. Perhaps changing it to severity "security" is appropriate?!
This will not be fixed due to the fact that this the way the Mozilla Bugzilla
team has been doing for quite some time. Yes you are correct that normally cgi
progs should go outside the document root but there would be substantial changes
to be made for Bugzilla to work this way since it was designed from the
beginning to reside in a single directory of its own. With proper permissions
and well done code, it shouldnt be an issue in this case.