[3087] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Chad Schieken)
Thu Sep 26 10:47:17 1996
To: John Allen <JOHNAL@attachmate.com>
cc: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
In-reply-to: Your message of "Tue, 24 Sep 1996 09:13:20 PDT."
<c=US%a=_%p=Attachmate%l=EXCH-BEL3-960924161320Z-2865@exch-bel1.attachmate.com>
Date: Thu, 26 Sep 1996 08:35:38 -0400
From: Chad Schieken <cschieke@advsys.com>
Errors-To: owner-www-security@ns2.rutgers.edu
John,
It also depends on what server you/they are running. This style of
authentication does NOT work with many Netscape products. Specifically the
Commerce and Communications servers.
It lacks the "documented" ability to have nested .htaccess files. Although the
documentation says this works... It doesn't.
While at worst this is a indirect hole it leads to a situation where files
that supposed to be proctected are not.
Thanks,
Chad
--
+--------------------------------------------------------------------+
|Chad Schieken | Voice: 609.983.3888 |
|Advanced Systems Consulting, Inc.| Fax: 609.983.2125 |
|Marlton, NJ 08034 | E-mail: cschieke@advsys.com |
+--------------------------------------------------------------------+
