Your example was: <VirtualHost www.domain.com> DocumentRoot /virtual/domain.com ServerName www.domain.com ServerAlias domain.com </Virtual Host> Now, it that conf.. where does it point either the alias(domain.com) or virtual (www.domain.com) to a different directory? Since it doesnt point it to a different directory it is going to create and find that username and password in that directory. If you do this: <VirtualHost www.domain.com> DocumentRoot /virtual/domain.com ServerName www.domain.com </Virtual Host> <VirtualHost www.somedomain.com> DocumentRoot /virtual/somedomain.com ServerName www.somedomain.com </VirtualHost> it is now pointing each domain to its own directory. And creating seperate .htaccess files in seperate directories. This is how I have it configured and the problems you have explained never have occured with me. Paul Schandel FireTrail Internet Services, Ltd. Microsoft MVP FrontPage -----Original Message----- From: Gregory A. Carter [mailto:omniat_private] Sent: Friday, March 26, 1999 2:44 PM To: Paul Schandel Cc: BUGTRAQat_private Subject: Re: FrontPage + Apache + FreeBSD On Fri, 26 Mar 1999, Paul Schandel wrote: . This is not a security issue. Hence why they did not respond to you. . . In your own example of a VirtualHost you listed domain.com and alias . www.domain.com in the same hosting. . . In this instance why wouldnt FrontPage associate both domains as being in . the SAME directory and location. Hence the username and password are stored . in the same location. Are both working on the same ROOT WEB. you didnt . setup any subwebs so you wouldnt see any of those. It would be considered a . security issue if say www.somedomain.com opened with the user/pass of the . one set for www.domain.com. But in this instance it would not be. No this is not correct, when I'm going to www.domain.com... instead of the server pointing me at the root web of the virtual hosted site it brings me to the root web of the whole server. Sub webs have nothing to do with it. I wouldn't care about the problem at all accept for the fact the when it directs FrontPage Explorer to the main root web instead it also uses the VIRTUAL WEBS permissions. Hence as in my case I added a user to the virtual web and pointed my web site to www.domain.com (the virtual web alias), it brought up the MAIN web for the whole server but allowed me access with the virtual webs permissions. This is *definatly* a bug on M$'s side here. The extensions to at the LEAST recognize the "ServerAlias" directive in apache and either #1 Go to the right web or #2 deny access to the main root web of the whole server with the virtual webs usernames and passwords. Try it out you'll see what I mean. I was quite surprised when I added a u/p so a customer could edit their virtual web site and having them call up and mention that they had access to our main web site that's not virtualy hosted because they entered "www.domain.com" instead of "domain.com" in the list webs box. Greg +(Omniat_private)------------------------------------------------------+ | Dynamic Networking Solutions InterX Technologies | | Senior Network Administrator bits/keyID 1024/7DF9C285 | | omniat_private omniat_private omniat_private omniat_private | +--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:48 PDT