[10025] in bugtraq
Re: FrontPage + Apache + FreeBSD
daemon@ATHENA.MIT.EDU (Paul Schandel)
Mon Mar 29 13:32:58 1999
Date: Fri, 26 Mar 1999 15:07:58 -0800
Reply-To: Paul Schandel <paulsc@TECHWAVE.COM>
From: Paul Schandel <paulsc@TECHWAVE.COM>
To: BUGTRAQ@NETSPACE.ORG
Your example was:
<VirtualHost www.domain.com>
DocumentRoot /virtual/domain.com
ServerName www.domain.com
ServerAlias domain.com
</Virtual Host>
Now, it that conf.. where does it point either the alias(domain.com) or
virtual (www.domain.com) to a different directory?
Since it doesnt point it to a different directory it is going to create and
find that username and password in that directory.
If you do this:
<VirtualHost www.domain.com>
DocumentRoot /virtual/domain.com
ServerName www.domain.com
</Virtual Host>
<VirtualHost www.somedomain.com>
DocumentRoot /virtual/somedomain.com
ServerName www.somedomain.com
</VirtualHost>
it is now pointing each domain to its own directory. And creating seperate
.htaccess files in seperate directories.
This is how I have it configured and the problems you have explained never
have occured with me.
Paul Schandel
FireTrail Internet Services, Ltd.
Microsoft MVP FrontPage
-----Original Message-----
From: Gregory A. Carter [mailto:omni@dynmc.net]
Sent: Friday, March 26, 1999 2:44 PM
To: Paul Schandel
Cc: BUGTRAQ@netspace.org
Subject: Re: FrontPage + Apache + FreeBSD
On Fri, 26 Mar 1999, Paul Schandel wrote:
. This is not a security issue. Hence why they did not respond to you.
.
. In your own example of a VirtualHost you listed domain.com and alias
. www.domain.com in the same hosting.
.
. In this instance why wouldnt FrontPage associate both domains as being in
. the SAME directory and location. Hence the username and password are
stored
. in the same location. Are both working on the same ROOT WEB. you didnt
. setup any subwebs so you wouldnt see any of those. It would be
considered a
. security issue if say www.somedomain.com opened with the user/pass of the
. one set for www.domain.com. But in this instance it would not be.
No this is not correct, when I'm going to www.domain.com... instead of the
server pointing me at the root web of the virtual hosted site it brings me
to the root web of the whole server. Sub webs have nothing to do with it.
I wouldn't care about the problem at all accept for the fact the when it
directs FrontPage Explorer to the main root web instead it also uses the
VIRTUAL WEBS permissions. Hence as in my case I added a user to the
virtual web and pointed my web site to www.domain.com (the virtual web
alias), it brought up the MAIN web for the whole server but allowed me
access with the virtual webs permissions. This is *definatly* a bug on
M$'s side here. The extensions to at the LEAST recognize the
"ServerAlias" directive in apache and either #1 Go to the right web or #2
deny access to the main root web of the whole server with the virtual webs
usernames and passwords.
Try it out you'll see what I mean. I was quite surprised when I added a
u/p so a customer could edit their virtual web site and having them call
up and mention that they had access to our main web site that's not
virtualy hosted because they entered "www.domain.com" instead of
"domain.com" in the list webs box.
Greg
+(Omni@Dynmc.Net)------------------------------------------------------+
| Dynamic Networking Solutions InterX Technologies |
| Senior Network Administrator bits/keyID 1024/7DF9C285 |
| omni@interx.net omni@itstudio.net omni@undernet.org omni@webpop3.com |
+--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+
