[Previous] [Next] [Index]
[Thread]
Re: Unix links subverting Web security
Well, for example, if you have CGI scripts enabled in that directory, you
might not want all the world to know that there's a potential hole to
exploit there. Nor do you want the physical location of the password files
known, even if you aren't using passwords in that particularly directory.
Lincoln
>Are per-directory .htaccess files really a security risk? The only people who
>can look at these files with a Web browser are people who already have access.
>It's similar to /etc/passwd--the only people who (legitimately) can read
>/etc/passwd are people who already have accounts in /etc/passwd.
>
>What am I missing here?
>
>>
>> >>Don't forget that remote users can view .htaccess with ease just by asking
>> >>for the URL!
>> >>
>> >> http://your-site/.htaccess
>> >
>> >No, you have 2 different directories for documents (def: htdocs) and
>> >conf (def: conf) - at least with ncsa-httpd and derivates
>>
>> Yes, this is the better way to do it, but a lot of people use the alternate
>> per-directory file method.
>>
>
>--
>Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
>email: karl-boyken@uiowa.edu WWW: http://www.cs.uiowa.edu/~boyken/
>voice: 319-335-2730 fax: 319-335-3017
========================================================================
Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
Director: Informatics Core
MIT Genome Center (617) 252-1916
Whitehead Institute for Biomedical Research (617) 252-1902 FAX
One Kendall Square
Cambridge, MA 02139
=================http://www-genome.wi.mit.edu/~lstein====================
Follow-Ups: