WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Greer <chatmaster () charter net>
Date: 04 Nov 2003 10:05:40 -0800
On Tue, 2003-11-04 at 05:49, Graham Lally wrote:
Hi,
You'll want to filter lots after that, although the easiest way is to
restrict the template name to valid characters, and remove everything
else. The regexp on the page is:
/^[\w\-\.]*$/
So if template doesn't match that, something's wrong.
I also recommend making sure the file ends with a specific file extension, so only certain HTML or template (or text) files can be open: /^[\w\-\]*\.(html?|txt|tmpl)$/i (for example--and you likely don't need to capture those values, so use '?:' there)
MORE IMPORTANTLY, /etc/passwd shouldn't be readable by the CGI server!
Sure it should be! The default permissions (that are safe too) are 644 for this file. Are you thinking of shadow or master.passwd??? -- Tim Greer <chatmaster () charter net>
Current thread:
- htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)