Re: Apache AuthBasic

[Creed Erickson <creed () mac com>]

The biggest concern is local .htaccess files.

1) Be sure to disallow overrides from a local .htaccess file. i.e., IF  
someone were to get write access, you want to disallow them from  
changing access policy by creating or editing a local .htaccess file.  
E.G.:
        <Directory /mydir>
               AllowOverride None
         </Directory>

2) If you are using a local .htaccess file, be sure it's not writable  
by whatever user the httpd server runs as.

3) Make sure you disallow inspection of .htaccess.  E.G.:
    <Files ~ "^\.ht">
        Order allow,deny
        Deny from all
        Satisfy All
    </Files>


On Friday, December 12, 2003, at 07:46  AM, Jon Mark Allen wrote:

> I have a website with one particular folder I want to secure.
>
> I have setup SSL and Apache AuthBasic for that folder and all subfiles.
>
> My question is: does anyone know of any vulnerabilities or ways to  
> crack/circumvent AuthBasic?
>
> So far, the only method I've found of breaking authBasic is to sniff  
> the traffic to lift the username/password, but I've tested that with  
> the SSL and the username/password combo is passed after SSL has  
> already been established.
>
> It is very important that this folder be as secure as I can make it.   
> Obviously, just being available on the web at all reduces the overall  
> security significantly, but I don't have a choice there. :-)
>
> Thanks for your help.
>
> Jon Mark
>
> ----------------------------------------------------------------------- 
> ----
> ----------------------------------------------------------------------- 
> -----


---------------------------------------------------------------------------
----------------------------------------------------------------------------