Vulnerability Development mailing list archives
apache + .htpasswd - bypass pwd check
From: "Hallberg Tom" <tom.hallberg () rfv sfa se>
Date: 25 Apr 2002 09:45:00 +0200
Hi yesterday I managed to bypass the pwd check when using .htpasswd. The problem now is that Im not sure how to secure it. Okej let say that user ivan have protected his /home/ivan/public_html/topsecret directory. And on the samer server we have the user johan, from his public_html directory we make an symlink ln -s /home/ivan/public_html/topsecret test okej so then johan tries http://www.hostname.whatever/~johan/test he will end up in ivan' s topsecret directory.. So what have I missed in my httpd.conf or something else? :) thanx /Tom
Current thread:
- apache + .htpasswd - bypass pwd check Hallberg Tom (Apr 25)
- RE: apache + .htpasswd - bypass pwd check Golden_Eternity (Apr 26)
- RE: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd chec Jonas (Apr 28)
- RE: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jose Nazario (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- Re: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Sten (Apr 28)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- RE: apache + .htpasswd - bypass pwd check Golden_Eternity (Apr 26)