Re: apache + .htpasswd - bypass pwd check

From: Jedi/Sector One (jat_private)
Date: Fri Apr 26 2002 - 14:16:52 PDT

Next message: Jens Knoell: "Re: PHP-Survey Database Access Vulnerability"

Previous message: RSnake: "Re: apache + .htpasswd - bypass pwd check"
In reply to: RSnake: "Re: apache + .htpasswd - bypass pwd check"
Next in thread: Sten: "Re: apache + .htpasswd - bypass pwd check"
Reply: Sten: "Re: apache + .htpasswd - bypass pwd check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 26, 2002 at 02:07:05PM -0700, RSnake wrote:
> 	cd ~john
> 	I don't have to know where it is.

  Unless your users have shell access, there's no reason to have anything
but a 'nobody' account in your /etc/passwd & co files.

  If you need entries for suexec to work, have fake ones, with no password,
no shell and /dev/null as a home directory. The only thing Apache+suexec
needs is to map uids to some user name.

  The real path to web pages of every virtual host is located in httpd.conf's
DocumentRoot directives. System accounts don't have to match.

> Chrooted jails are the only way to go.

  Indeed. Zeus has an handy feature to do this out of the box.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

Next message: Jens Knoell: "Re: PHP-Survey Database Access Vulnerability"
Previous message: RSnake: "Re: apache + .htpasswd - bypass pwd check"
In reply to: RSnake: "Re: apache + .htpasswd - bypass pwd check"
Next in thread: Sten: "Re: apache + .htpasswd - bypass pwd check"
Reply: Sten: "Re: apache + .htpasswd - bypass pwd check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 15:51:52 PDT