[4388] in bugtraq
Access control on W3C httpd server
daemon@ATHENA.MIT.EDU (Peter Lord)
Wed Apr 30 19:09:45 1997
Date: Wed, 30 Apr 1997 19:50:39 +0000
Reply-To: plord@perrin.demon.co.uk
From: Peter Lord <plord@PERRIN.DEMON.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
I came accross this problem recently when using the CERN server. I
couldn't find any referrences to it ... but I guess this *must* be
well known. Still, better to speak up than to keep quiet.
My server has the following in the config file :-
Protection secret {
AuthType Basic
ServerID mine
PasswdFile /httpd/config/passwd
GroupFile /httpd/config/group
POST-Mask secret_group
GET-Mask secret_group
PUT-Mask webmaster
}
Protect /secret/* secret
Which works fine. When the client tries to access
http://www.site.co.uk/secret/index.html, for example, the password
box pops up.
However, if the client tries to access
http://www.site.co.uk//secret/index.html (note the double slash), the
server happily serves the document out.
Until I manage to have a dig around the sources, my tempory
workaround is to add :-
Protect //secret/* secret
Whick seems to work (regardless of how many extra slashes are slotted
in).
BTW, my source tree is the last available from CERN with a couple of
local mods (syslog logging + BROWSE support for AOLPress) - I havn't
touched anying which would effect this.
Comments?
Thanks,
Pete
