[1097] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Lincoln D. Stein)
Tue Oct 31 14:27:22 1995
Date: Tue, 31 Oct 1995 10:21:49 -0500
To: Karl Boyken <boyken@cs.uiowa.edu>
From: lstein@genome.wi.mit.edu (Lincoln D. Stein)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Well, for example, if you have CGI scripts enabled in that directory, you
might not want all the world to know that there's a potential hole to
exploit there. Nor do you want the physical location of the password files
known, even if you aren't using passwords in that particularly directory.
Lincoln
>Are per-directory .htaccess files really a security risk? The only people who
>can look at these files with a Web browser are people who already have access.
>It's similar to /etc/passwd--the only people who (legitimately) can read
>/etc/passwd are people who already have accounts in /etc/passwd.
>
>What am I missing here?
>
>>
>> >>Don't forget that remote users can view .htaccess with ease just by asking
>> >>for the URL!
>> >>
>> >> http://your-site/.htaccess
>> >
>> >No, you have 2 different directories for documents (def: htdocs) and
>> >conf (def: conf) - at least with ncsa-httpd and derivates
>>
>> Yes, this is the better way to do it, but a lot of people use the alternate
>> per-directory file method.
>>
>
>--
>Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
>email: karl-boyken@uiowa.edu WWW: http://www.cs.uiowa.edu/~boyken/
>voice: 319-335-2730 fax: 319-335-3017
========================================================================
Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
Director: Informatics Core
MIT Genome Center (617) 252-1916
Whitehead Institute for Biomedical Research (617) 252-1902 FAX
One Kendall Square
Cambridge, MA 02139
=================http://www-genome.wi.mit.edu/~lstein====================
