[1100] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Vegard.Vesterheim@runit.sintef.no)
Wed Nov 1 07:14:23 1995
From: Vegard.Vesterheim@runit.sintef.no
Date: Wed, 1 Nov 95 09:51:20 +0100
To: lstein@genome.wi.mit.edu (Lincoln D. Stein)
Cc: Karl Boyken <boyken@cs.uiowa.edu>, www-security@ns2.rutgers.edu
In-Reply-To: <v0214030aacbbec79a4e6@[18.157.0.189]>
Reply-To: Vegard.Vesterheim@runit.sintef.no
Errors-To: owner-www-security@ns2.rutgers.edu
I do not understand this. If a directory is protected with a
.htaccess file, then the .htaccess file itself is also protected,
right.
Please explain how a .htaccess file can be fetched without being
accepted by the conditions specified in the .htaccess file itself.
Lincoln D. Stein writes:
> Well, for example, if you have CGI scripts enabled in that directory, you
> might not want all the world to know that there's a potential hole to
> exploit there. Nor do you want the physical location of the password=
files
> known, even if you aren't using passwords in that particularly directory.
>
> Lincoln
>
> >Are per-directory .htaccess files really a security risk? The only =
people who
> >can look at these files with a Web browser are people who already ha=
ve access.
> >It's similar to /etc/passwd--the only people who (legitimately) can read
> >/etc/passwd are people who already have accounts in /etc/passwd.
> >
> >What am I missing here?
> >
> >>
> >> >>Don't forget that remote users can view .htaccess with ease just=
by asking
> >> >>for the URL!
> >> >>
> >> >> http://your-site/.htaccess
> >> >
> >> >No, you have 2 different directories for documents (def: htdocs) and
> >> >conf (def: conf) - at least with ncsa-httpd and derivates
> >>
> >> Yes, this is the better way to do it, but a lot of people use the a=
lternate
> >> per-directory file method.
> >>
> >
> >--
