[11976] in bugtraq
Re: More fun with WWWBoard
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Sep 23 18:22:13 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37EA3537.8BB7A4A0@algroup.co.uk>
Date: Thu, 23 Sep 1999 15:12:07 +0100
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Vladimir Dubrovin <vlad@sandy.ru>
To: BUGTRAQ@SECURITYFOCUS.COM
Vladimir Dubrovin wrote:
>
> Hello Chris Ridd,
>
> 20.09.99 16:24, you wrote: More fun with WWWBoard;
>
> C> In Apache you'd configure this as follows:
>
> C> <Files passwd.txt>
> C> deny from all
> C> </Files>
>
> or put it in some directory inside your web home and configure
>
> <Limit GET>
> deny from all
> </Limit>
>
> <Limit POST>
> deny from all
> </Limit>
>
> for this directory. It's more safe, because some text editors leave
> backup copy of the file, for example passwd.txt~. In this case you are
> safe even if you forget to remove this file.
In general, you should not use <Limit...> unless for some reason you
want your security to only apply to GET and POST methods.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
