Bugtraq mailing list archives
Access control on W3C httpd server
From: plord () perrin demon co uk (Peter Lord)
Date: Wed, 30 Apr 1997 19:50:39 +0000
I came accross this problem recently when using the CERN server. I couldn't find any referrences to it ... but I guess this *must* be well known. Still, better to speak up than to keep quiet. My server has the following in the config file :- Protection secret { AuthType Basic ServerID mine PasswdFile /httpd/config/passwd GroupFile /httpd/config/group POST-Mask secret_group GET-Mask secret_group PUT-Mask webmaster } Protect /secret/* secret Which works fine. When the client tries to access http://www.site.co.uk/secret/index.html, for example, the password box pops up. However, if the client tries to access http://www.site.co.uk//secret/index.html (note the double slash), the server happily serves the document out. Until I manage to have a dig around the sources, my tempory workaround is to add :- Protect //secret/* secret Whick seems to work (regardless of how many extra slashes are slotted in). BTW, my source tree is the last available from CERN with a couple of local mods (syslog logging + BROWSE support for AOLPress) - I havn't touched anying which would effect this. Comments? Thanks, Pete
Current thread:
- Smashing the Stack: prevention? nate (Apr 27)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Russell Coker (Apr 28)
- Possibly exploitable buffer overflow in Solaris 2.5.1 ps Joe Zbiciak (Apr 28)
- Re: Possibly exploitable buffer overflow in Solaris 2.5.1 ps Geoffrey KEATING (Apr 29)
- Digital UNIX/Irix mesg problem Tom Leffingwell (Apr 29)
- Re: Digital UNIX/Irix mesg problem John Sheehy (Apr 29)
- Access control on W3C httpd server Peter Lord (Apr 30)
- vulnerabilities in kerberos David Sacerdote (Apr 29)
- Sun Security Bulletin #00139 Sun Security Coordination Team (Apr 29)
- SMASHING THE STACK: PREVENTION? massimo at vnet.ibm.com (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Alex Belits (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Thomas H. Ptacek (Apr 29)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Tim Newsham (Apr 27)
- Re: Smashing the Stack: prevention? Joe Zbiciak (Apr 28)
- Re: Smashing the Stack: prevention? Daniel Ryde (Apr 28)
- xlock clarification.... David Hedley (Apr 28)
- Re: Smashing the Stack: prevention? Steve Coleman - SEWP (Apr 28)