Security Basics mailing list archives
Re: Insecure handling of Apache restrictions?
From: Stewart <bdlists () snerk org>
Date: Wed, 16 Oct 2002 13:59:23 -0400
Benoît Gauthier wrote:
When the virtual site is accessed via http://user.blabla.ca, documents in the "secure" directory are correctly controlled by the statements. Fine. However, if the same page (and directory) is accessed via http://blabla.ca/~user, then NO authentification is done! NONE!
You could add a statement to your DocumentRoot section like so; RedirectPermanent "/~user" "http://user.blablah.com/"Which would force browsers to access the page via the 'proper' means, rather than via the back door. Besides; if a user has their own sub-domain, why would they want a tilde site anyways?
Current thread:
- Re: Insecure handling of Apache restrictions? Eimantas V (Oct 15)
- Re[2]: Insecure handling of Apache restrictions? Benoît (Oct 16)
- <Possible follow-ups>
- Re: Insecure handling of Apache restrictions? Mike Arnold (Oct 15)
- Re[2]: Insecure handling of Apache restrictions? Benoît (Oct 16)
- Re: Re[2]: Insecure handling of Apache restrictions? Mike Arnold (Oct 16)
- Re[2]: Insecure handling of Apache restrictions? Benoît (Oct 16)
- Re: Insecure handling of Apache restrictions? White Vampire (Oct 16)
- Re: Insecure handling of Apache restrictions? Stewart (Oct 17)
- Re: Insecure handling of Apache restrictions? White Vampire (Oct 17)