[1098] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Karl Boyken)
Tue Oct 31 14:32:28 1995
From: Karl Boyken <boyken@cs.uiowa.edu>
To: www-security@ns2.rutgers.edu
Date: Tue, 31 Oct 1995 09:04:53 -0600 (CST)
Cc: lstein@genome.wi.mit.edu
In-Reply-To: <v02140303acbad15de244@[18.157.0.189]> from "Lincoln D. Stein" at Oct 30, 95 02:11:51 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Are per-directory .htaccess files really a security risk? The only people who
can look at these files with a Web browser are people who already have access.
It's similar to /etc/passwd--the only people who (legitimately) can read
/etc/passwd are people who already have accounts in /etc/passwd.
What am I missing here?
>
> >>Don't forget that remote users can view .htaccess with ease just by asking
> >>for the URL!
> >>
> >> http://your-site/.htaccess
> >
> >No, you have 2 different directories for documents (def: htdocs) and
> >conf (def: conf) - at least with ncsa-httpd and derivates
>
> Yes, this is the better way to do it, but a lot of people use the alternate
> per-directory file method.
>
--
Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
email: karl-boyken@uiowa.edu WWW: http://www.cs.uiowa.edu/~boyken/
voice: 319-335-2730 fax: 319-335-3017
