[Previous] [Next] [Index]
[Thread]
Re: Unix links subverting Web security
On Tue, 31 Oct 1995, Karl Boyken wrote:
> Are per-directory .htaccess files really a security risk? The only people who
> can look at these files with a Web browser are people who already have access.
> It's similar to /etc/passwd--the only people who (legitimately) can read
> /etc/passwd are people who already have accounts in /etc/passwd.
Not really true. .htaccess is one problem. /passwd/.htpasswd is another
problem. Anybody can get your password file by:
http://your_web_host/passwd/.htpasswd
crack it, and visit you again with the password.
This password mechanism is not good for cracker, but for gentleman.
John
> What am I missing here?
>
> >
> > >>Don't forget that remote users can view .htaccess with ease just by asking
> > >>for the URL!
> > >>
> > >> http://your-site/.htaccess
> > >
> > >No, you have 2 different directories for documents (def: htdocs) and
> > >conf (def: conf) - at least with ncsa-httpd and derivates
> >
> > Yes, this is the better way to do it, but a lot of people use the alternate
> > per-directory file method.
> >
>
> --
> Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
> email: karl-boyken@uiowa.edu WWW: http://www.cs.uiowa.edu/~boyken/
> voice: 319-335-2730 fax: 319-335-3017
>
Follow-Ups:
References: