You need to turn off FollowSymLinks in the */public_html/ directories. > -----Original Message----- > From: Hallberg Tom [mailto:tom.hallbergat_private] > Sent: Thursday, April 25, 2002 12:45 AM > To: bugtraqat_private > Cc: vuln-dev@security-focus.com > Subject: apache + .htpasswd - bypass pwd check > > > Hi > > yesterday I managed to bypass the pwd check when using .htpasswd. > The problem > now is that Im not sure how to secure it. > > Okej let say that user ivan have protected his > /home/ivan/public_html/topsecret > directory. And on the samer server we have the user johan, from > his public_html > directory we make an symlink ln -s /home/ivan/public_html/topsecret test > okej so then johan tries http://www.hostname.whatever/~johan/test > he will end up in ivan' s topsecret directory.. > > So what have I missed in my httpd.conf or something else? :) > > thanx > /Tom >
This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 08:39:54 PDT