Bugtraq mailing list archives
Re: FrontPage + Apache + FreeBSD
From: paulsc () TECHWAVE COM (Paul Schandel)
Date: Fri, 26 Mar 1999 15:07:58 -0800
Your example was: <VirtualHost www.domain.com> DocumentRoot /virtual/domain.com ServerName www.domain.com ServerAlias domain.com </Virtual Host> Now, it that conf.. where does it point either the alias(domain.com) or virtual (www.domain.com) to a different directory? Since it doesnt point it to a different directory it is going to create and find that username and password in that directory. If you do this: <VirtualHost www.domain.com> DocumentRoot /virtual/domain.com ServerName www.domain.com </Virtual Host> <VirtualHost www.somedomain.com> DocumentRoot /virtual/somedomain.com ServerName www.somedomain.com </VirtualHost> it is now pointing each domain to its own directory. And creating seperate .htaccess files in seperate directories. This is how I have it configured and the problems you have explained never have occured with me. Paul Schandel FireTrail Internet Services, Ltd. Microsoft MVP FrontPage -----Original Message----- From: Gregory A. Carter [mailto:omni () dynmc net] Sent: Friday, March 26, 1999 2:44 PM To: Paul Schandel Cc: BUGTRAQ () netspace org Subject: Re: FrontPage + Apache + FreeBSD On Fri, 26 Mar 1999, Paul Schandel wrote: . This is not a security issue. Hence why they did not respond to you. . . In your own example of a VirtualHost you listed domain.com and alias . www.domain.com in the same hosting. . . In this instance why wouldnt FrontPage associate both domains as being in . the SAME directory and location. Hence the username and password are stored . in the same location. Are both working on the same ROOT WEB. you didnt . setup any subwebs so you wouldnt see any of those. It would be considered a . security issue if say www.somedomain.com opened with the user/pass of the . one set for www.domain.com. But in this instance it would not be. No this is not correct, when I'm going to www.domain.com... instead of the server pointing me at the root web of the virtual hosted site it brings me to the root web of the whole server. Sub webs have nothing to do with it. I wouldn't care about the problem at all accept for the fact the when it directs FrontPage Explorer to the main root web instead it also uses the VIRTUAL WEBS permissions. Hence as in my case I added a user to the virtual web and pointed my web site to www.domain.com (the virtual web alias), it brought up the MAIN web for the whole server but allowed me access with the virtual webs permissions. This is *definatly* a bug on M$'s side here. The extensions to at the LEAST recognize the "ServerAlias" directive in apache and either #1 Go to the right web or #2 deny access to the main root web of the whole server with the virtual webs usernames and passwords. Try it out you'll see what I mean. I was quite surprised when I added a u/p so a customer could edit their virtual web site and having them call up and mention that they had access to our main web site that's not virtualy hosted because they entered "www.domain.com" instead of "domain.com" in the list webs box. Greg +(Omni () Dynmc Net)------------------------------------------------------+ | Dynamic Networking Solutions InterX Technologies | | Senior Network Administrator bits/keyID 1024/7DF9C285 | | omni () interx net omni () itstudio net omni () undernet org omni () webpop3 com | +--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+
Current thread:
- Re: FrontPage + Apache + FreeBSD Forrest J. Cavalier III (Mar 25)
- <Possible follow-ups>
- Re: FrontPage + Apache + FreeBSD Paul Schandel (Mar 26)
- Possible security hole Christoforos Karatzinis (Mar 26)
- Re: Possible security hole Jason Costomiris (Mar 29)
- Bypassing Excel Macro Virus Protection rotaiv (Mar 29)
- Re: FrontPage + Apache + FreeBSD Gregory A. Carter (Mar 26)
- Possible security hole Christoforos Karatzinis (Mar 26)
- Re: FrontPage + Apache + FreeBSD Paul Schandel (Mar 26)
- Re: FrontPage + Apache + FreeBSD -Reply Bob McConnell (Mar 29)