> [On Thu Apr 23 14:36:00 1998, pedwardat_private wrote] [snip snip] > (Oh, BTW, there exists a very HUGE privacy hole in the FP > extenstions). If you go to a site that has FP extensions, just pick > any directory in the URL, yank the filename off, and put "_vti_cnf" > there instead...you'll get a complete listing of all the files in the > real directory. With this you can snatch files that weren't meant to > be seen by the public...and it's available on ALL FP enabled sites. Incorrect. This reflects on the web server configuration, not necessarily that of FP....same goes for the password file snatching. i.e. it's easy to set up Apache to prevent this stuff. Though, FP does want to keep "touching" various files, including the .htaccess files...changing the permissions after FP has created them keeps everything in check (so long as httpd and FP can still *read* the files). James -- James E. Robinson, III | jamesat_private | Lead Systems Programmer NC State University | NCState.Net | http://www.ncstate.net/ Information Technology | PGP key at http://www.ncstate.net/james/pgp/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:05 PDT