[1102] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Lianyi Zhu)
Wed Nov 1 13:34:42 1995
Date: Wed, 1 Nov 1995 08:24:41 -0600 (CST)
From: Lianyi Zhu <zhul@cs.uregina.ca>
To: Karl Boyken <boyken@cs.uiowa.edu>
cc: www-security@ns2.rutgers.edu, lstein@genome.wi.mit.edu
In-Reply-To: <199510311504.AA007541894@silo.cs.uiowa.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 31 Oct 1995, Karl Boyken wrote:
> Are per-directory .htaccess files really a security risk? The only people who
> can look at these files with a Web browser are people who already have access.
> It's similar to /etc/passwd--the only people who (legitimately) can read
> /etc/passwd are people who already have accounts in /etc/passwd.
Not really true. .htaccess is one problem. /passwd/.htpasswd is another
problem. Anybody can get your password file by:
http://your_web_host/passwd/.htpasswd
crack it, and visit you again with the password.
This password mechanism is not good for cracker, but for gentleman.
John
> What am I missing here?
>
> >
> > >>Don't forget that remote users can view .htaccess with ease just by asking
> > >>for the URL!
> > >>
> > >> http://your-site/.htaccess
> > >
> > >No, you have 2 different directories for documents (def: htdocs) and
> > >conf (def: conf) - at least with ncsa-httpd and derivates
> >
> > Yes, this is the better way to do it, but a lot of people use the alternate
> > per-directory file method.
> >
>
> --
> Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
> email: karl-boyken@uiowa.edu WWW: http://www.cs.uiowa.edu/~boyken/
> voice: 319-335-2730 fax: 319-335-3017
>
