Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Insecure handling of Apache restrictions?

From: Mike Arnold <mike () midkaemia fsnet co uk>
Date: Sun, 13 Oct 2002 00:26:14 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 11 Oct 2002 12:23 am, "Benoît" Gauthier wrote:

<snip>


However, if the same page (and directory) is accessed via
http://blabla.ca/~user, then NO authentification is done! NONE!


Because if you look closely the documents protected are under 

http://blabla.ca/~user/secure if I remember my apache right. The access to 
http://blabla.ca/~user are not controlled.


Why? How can I circumvent this behaviour?


Possibly by doing this.

<Directory /home/user/public_html/>
AuthType Basic
AuthName "Please enter your user id and password."
AuthDBUserFile /home/user/public_html/controle
Require valid-user
</Directory>

I'm certainly out of date with apache as I haven't configured it in a while, 
but to me the above would make sense.


Thanks in advance.


Welcome, hope it works.


Benoît


Mike

- -- 
        By three methods we may learn wisdom: 
                First, by reflection, which is noblest; 
                Second, by imitation, which is easiest; 
                and third by experience, which is the bitterest. 

                        --Confucius 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9qK+a8EqADYNpcNQRAi/UAJ4xys0xOsIDqaKbLe6vv/z3VZjPIwCeINH5
seiI8tulZeRtC+2iabHuANg=
=3fVt
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: