Security Basics mailing list archives
Re: Apache AuthBasic
From: Creed Erickson <creed () mac com>
Date: Fri, 12 Dec 2003 16:36:23 -0800
The biggest concern is local .htaccess files.1) Be sure to disallow overrides from a local .htaccess file. i.e., IF someone were to get write access, you want to disallow them from changing access policy by creating or editing a local .htaccess file. E.G.:
<Directory /mydir> AllowOverride None </Directory>2) If you are using a local .htaccess file, be sure it's not writable by whatever user the httpd server runs as.
3) Make sure you disallow inspection of .htaccess. E.G.: <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> On Friday, December 12, 2003, at 07:46 AM, Jon Mark Allen wrote:
I have a website with one particular folder I want to secure. I have setup SSL and Apache AuthBasic for that folder and all subfiles.My question is: does anyone know of any vulnerabilities or ways to crack/circumvent AuthBasic?So far, the only method I've found of breaking authBasic is to sniff the traffic to lift the username/password, but I've tested that with the SSL and the username/password combo is passed after SSL has already been established.It is very important that this folder be as secure as I can make it. Obviously, just being available on the web at all reduces the overall security significantly, but I don't have a choice there. :-)Thanks for your help. Jon Mark----------------------------------------------------------------------- ---- ----------------------------------------------------------------------- -----
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Apache AuthBasic Jon Mark Allen (Dec 12)
- Re: Apache AuthBasic Miles Stevenson (Dec 15)
- Re: Apache AuthBasic Creed Erickson (Dec 15)
- <Possible follow-ups>
- Re: Apache AuthBasic Jon Mark Allen (Dec 15)
- Re: Apache AuthBasic Miles Stevenson (Dec 15)
- Re: Apache AuthBasic Jon Mark Allen (Dec 15)