Re: apache + .htpasswd - bypass pwd check

From: Jose Nazario (joseat_private)
Date: Thu Apr 25 2002 - 09:19:45 PDT

Next message: secureat_private: "[CLA-2002:475] Conectiva Linux Security Announcement - sudo"

Previous message: Golden_Eternity: "RE: apache + .htpasswd - bypass pwd check"
In reply to: Hallberg Tom: "apache + .htpasswd - bypass pwd check"
Next in thread: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25 Apr 2002, Hallberg Tom wrote:

>
> Okej let say that user ivan have protected his
> /home/ivan/public_html/topsecret directory. And on the samer server we
> have the user johan, from his public_html directory we make an symlink
> ln -s /home/ivan/public_html/topsecret test okej so then johan tries
> http://www.hostname.whatever/~johan/test he will end up in ivan' s
> topsecret directory..

old news:
	http://www.humanfactor.com/cgi-bin/cgi-delegate/apache-ML/nh/1997/May/0397.html

fix:
	http://www.freebsddiary.org/protected.php

summary:
	Options -FollowSymLinks +SymLinksIfOwnerMatch or something similar


sorry, my apache is a bit rusty. however, its a known issue and should be
configurable around.

___________________________
jose nazario, ph.d.			joseat_private
					http://www.monkey.org/~jose/

Next message: secureat_private: "[CLA-2002:475] Conectiva Linux Security Announcement - sudo"
Previous message: Golden_Eternity: "RE: apache + .htpasswd - bypass pwd check"
In reply to: Hallberg Tom: "apache + .htpasswd - bypass pwd check"
Next in thread: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 08:51:11 PDT